Kategorie:Kryptografie/Best Practice: Unterschied zwischen den Versionen

Aus Foxwiki
Versionsgeschichte interaktiv durchsuchen
← Zum vorherigen Versionsunterschied
VisuellWikitext
Keine Bearbeitungszusammenfassung
Keine Bearbeitungszusammenfassung
 
(19 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt)
Zeile 1: Zeile 1:
== Webservers ==
[[Kategorie:Kryptografie/Konzept]]
 
=== Apache ===
Note that any cipher suite starting with EECDH can be omitted, if in doubt. (Compared to the theory section, EECDH in Apache and ECDHE in OpenSSL are synonyms [[https://bettercrypto.org/#_footnotedef_4 4]])
 
==== Tested with Versions ====
* Apache 2.2.22, Debian Wheezy with OpenSSL 1.0.1e
* Apache 2.4.6, Debian Jessie with OpenSSL 1.0.1e
* Apache 2.4.10, Debian Jessie 8.2 with OpenSSL 1.0.1k
* Apache 2.4.7, Ubuntu 14.04.2 Trusty with OpenSSL 1.0.1f
* Apache 2.4.6, CentOS Linux 7 (Core) with OpenSSL 1.0.1e
* Apache 2.4.18, Ubuntu 16.04.3 LTS with OpenSSL 1.0.2g
 
==== Settings ====
Enabled modules <tt>SSL</tt> and <tt>Headers</tt> are required.
Listing 1. SSL configuration for an Apache vhost
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
<nowiki>#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt</nowiki>
<nowiki>#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt</nowiki>
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCompression off
Header always set Strict-Transport-Security "max-age=15768000"
<nowiki># Strict-Transport-Security: "max-age=15768000 ; includeSubDomains" </nowiki>
Header always set Public-Key-Pins "pin-sha256=\"YOUR_HASH=\"; pin-sha256=\"YOUR_BACKUP_HASH=\"; max-age=7776000; report-uri=\"https://YOUR.REPORT.URL\""
SSLCipherSuite 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA'
 
{| style="border-spacing:0;width:17cm;"
|- style="border:none;padding:0.049cm;"
||
|| Add six earth month HSTS header for all users…​
|- style="border:none;padding:0.049cm;"
||
|| If you want to protect all subdomains, use the following header. ALL subdomains HAVE TO support HTTPS if you use this!
|- style="border:none;padding:0.049cm;"
||
|| CALL subdomains HAVE TO support HTTPS if you use this! At least use one Backup-Key and/or add whole CA, think of Cert-Updates!
|-
|}
 
==== Additional settings ====
You might want to redirect everything to <tt>https://</tt> if possible. In Apache you can do this with the following setting inside of a VirtualHost environment:
Listing 2. https auto-redirect vhost
<VirtualHost *:80>
    Redirect permanent / https://SERVER_NAME/
</VirtualHost>
 
==== References ====
[https://httpd.apache.org/docs/2.4/ssl/ Apache2 Docs on SSL and TLS]
 
==== How to test ====
See appendix [https://bettercrypto.org/#tools Tools]
 
=== lighttpd ===
 
==== Tested with Versions ====
* lighttpd/1.4.31-4 with OpenSSL 1.0.1e on Debian Wheezy
* lighttpd/1.4.33 with OpenSSL 0.9.8o on Debian Squeeze (note that TLSv1.2 does not work in openssl 0.9.8 thus not all ciphers actually work)
* lighttpd/1.4.28-2 with OpenSSL 0.9.8o on Debian Squeeze (note that TLSv1.2 does not work in openssl 0.9.8 thus not all ciphers actually work)
* lighttpd/1.4.31, Ubuntu 14.04.2 Trusty with Openssl 1.0.1f
 
==== Settings ====
Listing 3. SSL configuration for lighttpd
$SERVER["socket"] == "0.0.0.0:443" {
    ssl.engine = "enable"
    ssl.use-sslv2 = "disable"
    ssl.use-sslv3 = "disable"
    ssl.pemfile = "/etc/lighttpd/server.pem"
    ssl.ca-file = "/etc/ssl/certs/server.crt"
    ssl.cipher-list = "EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA"
    ssl.honor-cipher-order = "enable"
    setenv.add-response-header  <nowiki>= ( "Strict-Transport-Security" => "max-age=15768000") # six months</nowiki>
    <nowiki># use this only if all subdomains support HTTPS!</nowiki>
    <nowiki># setenv.add-response-header </nowiki> <nowiki>= ( "Strict-Transport-Security" => "max-age=15768000; includeSubDomains")</nowiki>
}
Starting with lighttpd version 1.4.29 Diffie-Hellman and Elliptic-Curve Diffie-Hellman key agreement protocols are supported. By default, elliptic curve "prime256v1" (also "secp256r1") will be used, if no other is given. To select special curves, it is possible to set them using the configuration options <tt>ssl.dh-file</tt> and <tt>ssl.ec-curve</tt>.
Listing 4. SSL EC/DH configuration for lighttpd
<nowiki># use group16 dh parameters</nowiki>
ssl.dh-file = "/etc/lighttpd/ssl/dh4096.pem"
ssl.ec-curve = "secp384r1"
Please read section [https://bettercrypto.org/#dh A note on Diffie Hellman Key Exchanges] for more information on Diffie Hellman key exchange and elliptic curves.
 
==== Additional settings ====
As for any other webserver, you might want to automatically redirect <tt>http://</tt> traffic toward <tt>https://</tt>. It is also recommended to set the environment variable <tt>HTTPS</tt>, so the PHP applications run by the webserver can easily detect that HTTPS is in use.
Listing 5. https auto-redirect configuration
$HTTP["scheme"] == "http" {
    <nowiki># capture vhost name with regex condition -> %0 in redirect pattern</nowiki>
    <nowiki># must be the most inner block to the redirect rule</nowiki>
    $HTTP["host"] =~ ".*" {
        url.redirect = (".*" => "https://%0$0")
    }
    <nowiki># Set the environment variable properly</nowiki>
    setenv.add-environment = (
        "HTTPS" => "on"
    )
}
 
==== Additional information ====
The config option <tt>honor-cipher-order</tt> is available since 1.4.30, the supported ciphers depend on the used OpenSSL-version (at runtime). ECDHE has to be available in OpenSSL at compile-time, which should be default. SSL compression should by deactivated by default at compile-time (if not, it’s active).
Support for other SSL-libraries like GnuTLS will be available in the upcoming 2.x branch, which is currently under development.
 
==== References ====
* [https://redmine.lighttpd.net/projects/1/wiki/HowToRedirectHttpToHttps How to redirect HTTP requests to HTTPS]
* [https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_SSL Lighttpd Docs: Secure HTTP]
* [https://redmine.lighttpd.net/projects/lighttpd/wiki/Release-1_4_30 Release 1.4.30 (How to mitigate BEAST attack)]
* [https://redmine.lighttpd.net/issues/2445 Lightpd issue: SSL Compression disabled by default]
 
==== How to test ====
See appendix [https://bettercrypto.org/#tools Tools]
 
=== nginx ===
 
==== Tested with Version ====
* 1.4.4 with OpenSSL 1.0.1e on OS X Server 10.8.5
* 1.2.1-2.2+wheezy2 with OpenSSL 1.0.1e on Debian Wheezy
* 1.4.4 with OpenSSL 1.0.1e on Debian Wheezy
* 1.2.1-2.2&nbsp;bpo60+2 with OpenSSL 0.9.8o on Debian Squeeze (note that TLSv1.2 does not work in openssl 0.9.8 thus not all ciphers actually work)
* 1.4.6 with OpenSSL 1.0.1f on Ubuntu 14.04.2 LTS
 
==== Settings ====
Listing 6. SSL settings for nginx
ssl on;
ssl_certificate cert.pem;
ssl_certificate_key cert.key;
ssl_session_timeout 5m;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # not possible to do exclusive
ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA';
add_header Strict-Transport-Security "max-age=15768000"; # six months
<nowiki># add_header Strict-Transport-Security "max-age=15768000; includeSubDomains"; </nowiki>
 
{| style="border-spacing:0;width:8.618cm;"
|- style="border:none;padding:0.049cm;"
||
|| Use this only if all subdomains support HTTPS!
|-
|}
If you absolutely want to specify your own DH parameters, you can specify them via
ssl_dhparam file;
However, we advise you to read section [https://bettercrypto.org/#dh A note on Diffie Hellman Key Exchanges] and stay with the standard IKE/IETF parameters (as long as they are >1024 bits).
 
==== Additional settings ====
If you decide to trust NIST’s ECC curve recommendation, you can add the following line to nginx’s configuration file to select special curves:
Listing 7. SSL EC/DH settings for nginx
ssl_ecdh_curve secp384r1;
You might want to redirect everything to <tt>https://</tt> if possible. In Nginx you can do this with the following setting:
Listing 8. https auto-redirect in nginx
return 301 https://$server_name$request_uri;
The variable <tt>$server_name</tt> refers to the first <tt>server_name</tt> entry in your config file. If you specify more than one <tt>server_name</tt> only the first will be taken. Please be sure to not use the <tt>$host</tt> variable here because it contains data controlled by the user.
 
==== References ====
* [https://nginx.org/en/docs/http/ngx_http_ssl_module.html Module ngx_http_ssl_module]
* [https://nginx.org/en/docs/http/configuring_https_servers.html Configuring HTTPS servers]
 
==== How to test ====
See appendix [https://bettercrypto.org/#tools Tools]
 
=== Cherokee ===
 
==== Tested with Version ====
* Cherokee/1.2.104 on Debian Wheezy with OpenSSL 1.0.1e 11 Feb 2013
 
==== Settings ====
The configuration of the cherokee webserver is performed by an admin interface available via the web. It then writes the configuration to <tt>/etc/cherokee/cherokee.conf</tt>, the important lines of such a configuration file can be found at the end of this section.* General Settings
** Network
*** ''SSL/TLS back-end'': <tt>OpenSSL/libssl</tt>
** Ports to listen
*** Port: 443, TLS: TLS/SSL port
* Virtual Servers, For each vServer on tab ''Security'':
** ''Required SSL/TLS Values'': Fill in the correct paths for ''Certificate'' and ''Certificate key''
* Advanced Options
** ''Ciphers'':<br/>EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA
*** ''Server Preference'': Prefer
*** ''Compression'': Disabled
* Advanced: TLS
** SSL version 2 and SSL version 3: No
** TLS version 1, TLS version 1.1 and TLS version 1.2: Yes
 
==== Additional settings ====
For each vServer on the Security tab it is possible to set the Diffie Hellman length to up to 4096 bits. We recommend to use >1024 bits. More information about Diffie-Hellman and which curves are recommended can be found in section [https://bettercrypto.org/#dh A note on Diffie Hellman Key Exchanges].
In Advanced: TLS it is possible to set the path to a Diffie Hellman parameters file for 512, 1024, 2048 and 4096 bits.
HSTS can be configured on host-basis in section ''vServers'' / ''Security'' / ''HTTP Strict Transport Security (HSTS)'':* ''Enable HSTS'': Accept
* ''HSTS Max-Age'': 15768000
* ''Include Subdomains'': depends on your setup
To redirect HTTP to HTTPS, configure a new rule per Virtual Server in the ''Behavior'' tab. The rule is ''SSL/TLS'' combined with a ''NOT'' operator. As ''Handler'' define ''Redirection'' and use <tt>/(.*)$</tt> as ''Regular Expression'' and <tt>+https://$\{host}/$1+</tt> as ''Substitution''.
Listing 9. SSL configuration for cherokee
server!bind!2!port = 443
server!bind!2!tls = 1
server!tls = libssl
vserver!1!hsts = 1
vserver!1!hsts!max_age = 15768000
vserver!1!hsts!subdomains = 1
vserver!1!rule!5!handler = redir
vserver!1!rule!5!handler!rewrite!10!regex = /(.*)$
vserver!1!rule!5!handler!rewrite!10!show = 1
vserver!1!rule!5!handler!rewrite!10!substring = https://${host}/$1
vserver!1!rule!5!handler!type = just_about
vserver!1!rule!5!match = not
vserver!1!rule!5!match!right = tls
vserver!1!ssl_certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
vserver!1!ssl_certificate_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
vserver!1!ssl_cipher_server_preference = 1
vserver!1!ssl_ciphers = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA
vserver!1!ssl_compression = 0
vserver!1!ssl_dh_length = 2048
 
==== References ====
* [http://cherokee-project.com/doc/cookbook_ssl.html Cookbook: SSL, TLS and certificates]
* [http://cherokee-project.com/doc/cookbook_http_to_https.html Cookbook: Redirecting all traffic from HTTP to HTTPS]
 
==== How to test ====
See appendix [https://bettercrypto.org/#tools Tools]
 
=== MS IIS ===
To configure SSL/TLS on Windows Server [https://www.nartac.com/Products/IISCrypto/ IIS Crypto] can be used.&nbsp;Simply start the Programm, no installation required. The tool changes the registry keys described below. A restart is required for the changes to take effect.
[[Image:Bild2.png|top|alt="IIS Crypto Tool"]]
Instead of using the IIS Crypto Tool the configuration can be set using the Windows Registry. The following Registry keys apply to the newer Versions of Windows (Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012 and Windows Server 2012 R2). For detailed information about the older versions see the Microsoft knowledgebase article [https://support.microsoft.com/en-us/help/245030 How to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll].
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Ciphers]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\CipherSuites]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Hashes]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\KeyExchangeAlgorithms]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols]
 
==== Tested with Version ====
* Windows Server 2008
* Windows Server 2008 R2
* Windows Server 2012
* Windows Server 2012 R2
* Windows Vista and Internet Explorer 7 and upwards
* Windows 7 and Internet Explorer 8 and upwards
* Windows 8 and Internet Explorer 10 and upwards
* Windows 8.1 and Internet Explorer 11
 
==== Settings ====
When trying to avoid RC4 (RC4 biases) as well as CBC (BEAST-Attack) by using GCM and to support perfect forward secrecy, Microsoft SChannel (SSL/TLS, Auth,.. Stack) supports ECDSA but lacks support for RSA signatures (see [https://safecurves.cr.yp.to/rigid.html ECC suite B doubts]).
Since one is stuck with ECDSA, an elliptic curve certificate needs to be used.
The configuration of cipher suites MS IIS will use, can be configured in one of the following ways:# Group Policy: [https://docs.microsoft.com/de-de/windows/desktop/SecAuthN/prioritizing-schannel-cipher-suites Prioritizing Schannel Cipher Suites]
# Registry: [https://support.microsoft.com/en-us/help/245030 How to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll]
# [https://www.nartac.com/Products/IISCrypto/ IIS Crypto]
# Powershell
Table&nbsp;[https://bettercrypto.org/#MS_IIS_Client_Support Client support] shows the process of turning on one algorithm after another and the effect on the supported clients tested using [https://www.ssllabs.com/ https://www.ssllabs.com].
<tt>SSL 3.0</tt>, <tt>SSL 2.0</tt> and <tt>MD5</tt> are turned off. <tt>TLS 1.0</tt> and <tt>TLS 1.2</tt> are turned on.
Table 1. Client support
 
{| style="border-spacing:0;width:16.251cm;"
|- style="border:none;padding:0.049cm;"
! align=center| Cipher Suite
! align=center| Client
|- style="border:none;padding:0.049cm;"
|| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256+
|| only IE 10,11, OpenSSL 1.0.1e
|- style="border:none;padding:0.049cm;"
|| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256+
|| Chrome 30, Opera 17, Safari 6+
|- style="border:none;padding:0.049cm;"
|| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA+
|| FF 10-24, IE 8+, Safari 5, Java 7
|-
|}
Table&nbsp;[https://bettercrypto.org/#MS_IIS_Client_Support Client support] shows the algorithms from strongest to weakest and why they need to be added in this order. For example insisting on SHA-2 algorithms (only first two lines) would eliminate all versions of Firefox, so the last line is needed to support this browser, but should be placed at the bottom, so capable browsers will choose the stronger SHA-2 algorithms.
<tt>TLS_RSA_WITH_RC4_128_SHA</tt> or equivalent should also be added if MS Terminal Server Connection is used (make sure to use this only in a trusted environment). This suite will not be used for SSL, since we do not use a RSA Key.
Clients not supported:# Java 6
# WinXP
# Bing
 
==== Additional settings ====
It’s recommended to use ´Strict-Transport-Security: max-age=15768000` for detailed information visit the [https://docs.microsoft.com/en-us/iis/configuration/system.webServer/httpProtocol/customHeaders/ Microsoft knowledgebase article in custom Headers].
You might want to redirect everything to http'''s''':// if possible. In IIS you can do this with the following setting by Powershell:
Set-WebConfiguration -Location "$WebSiteName/$WebApplicationName" `
    -Filter 'system.webserver/security/access' `
    -Value "SslRequireCert"
 
==== Justification for special settings (if needed) ====
 
==== References ====
* [https://support.microsoft.com/en-us/help/245030 How to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll]
* [https://support.microsoft.com/en-us/help/187498 How to disable PCT 1.0, SSL 2.0, SSL 3.0, or TLS 1.0 in Internet Information Services]
 
==== How to test ====
See appendix [https://bettercrypto.org/#tools Tools]
 
== SSH ==
This section documents the Secure Shell (SSH) protocol. SSH is used to remotely manage computer systems, secururly transfer files over untrusted networks and to create "ad-hoc" virtual-private networks.
SSH is defined by the following Internet Standards (RFCs):
Table 2. SSH Standards
 
{| style="border-spacing:0;width:17cm;"
|- style="border:none;padding:0.049cm;"
! align=center| RFC
! align=center| Title
! align=center| Link
|- style="border:none;padding:0.049cm;"
|| '''4251'''
|| The Secure Shell (SSH) Protocol Architecture
|| [https://tools.ietf.org/html/rfc4251 https://tools.ietf.org/html/rfc4251]
|- style="border:none;padding:0.049cm;"
|| '''4252'''
|| The Secure Shell (SSH) Authentication Protocol
|| [https://tools.ietf.org/html/rfc4252 https://tools.ietf.org/html/rfc4252]
|- style="border:none;padding:0.049cm;"
|| '''4253'''
|| The Secure Shell (SSH) Transport Layer Protocol
|| [https://tools.ietf.org/html/rfc4253 https://tools.ietf.org/html/rfc4253]
|- style="border:none;padding:0.049cm;"
|| '''6668'''
|| SHA-2 Data Integrity Verification for the Secure Shell (SSH) Transport Layer Protocol
|| [https://tools.ietf.org/html/rfc6668 https://tools.ietf.org/html/rfc6668]
|- style="border:none;padding:0.049cm;"
|| '''8268'''
|| More Modular Exponentiation (MODP) Diffie-Hellman (DH) Key Exchange (KEX) Groups for Secure Shell (SSH)
|| [https://tools.ietf.org/html/rfc8268 https://tools.ietf.org/html/rfc8268]
|- style="border:none;padding:0.049cm;"
|| '''8308'''
|| Extension Negotiation in the Secure Shell (SSH) Protocol
|| [https://tools.ietf.org/html/rfc8308 https://tools.ietf.org/html/rfc8308]
|- style="border:none;padding:0.049cm;"
|| '''8332'''
|| Use of RSA Keys with SHA-256 and SHA-512 in the Secure Shell (SSH) Protocol
|| [https://tools.ietf.org/html/rfc8332 https://tools.ietf.org/html/rfc8332]
|-
|}
 
=== OpenSSH ===
[https://www.openssh.com/ OpenSSH] is the most popular implementation of the SSH protocol. It is maintained by the [https://openbsd.org/ OpenBSD] project and portable versions are disitributed with many unix-like operating-systems and Windows Server.
 
==== Tested with Version ====
* OpenSSH 6.6p1 (Gentoo)
* OpenSSH 6.6p1-2 on Ubuntu 14.04.2 LTS
* OpenSSH 7.2p2 on Ubuntu 16.04.3 LTS
 
==== Settings ====
Listing 10. Important OpenSSH 6.6 security settings
<nowiki># Package generated configuration file</nowiki>
<nowiki># See the sshd_config(5) manpage for details</nowiki>
<nowiki># What ports, IPs and protocols we listen for</nowiki>
Port 22
<nowiki># Use these options to restrict which interfaces/protocols sshd will bind to</nowiki>
<nowiki>#ListenAddress ::</nowiki>
<nowiki>#ListenAddress 0.0.0.0</nowiki>
Protocol 2
<nowiki># HostKeys for protocol version 2</nowiki>
HostKey /etc/ssh/ssh_host_rsa_key
<nowiki>#HostKey /etc/ssh/ssh_host_dsa_key</nowiki>
<nowiki>#HostKey /etc/ssh/ssh_host_ecdsa_key</nowiki>
HostKey /etc/ssh/ssh_host_ed25519_key
<nowiki>#Privilege Separation is turned on for security</nowiki>
UsePrivilegeSeparation yes
<nowiki># Lifetime and size of ephemeral version 1 server key</nowiki>
KeyRegenerationInterval 3600
ServerKeyBits 1024
<nowiki># Logging</nowiki>
SyslogFacility AUTH
LogLevel INFO
<nowiki># Authentication:</nowiki>
LoginGraceTime 120
PermitRootLogin no # or 'without-password' to allow SSH key based login
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
<nowiki>#AuthorizedKeysFile </nowiki>    %h/.ssh/authorized_keys
<nowiki># Don't read the user's ~/.rhosts and ~/.shosts files</nowiki>
IgnoreRhosts yes
<nowiki># For this to work you will also need host keys in /etc/ssh_known_hosts</nowiki>
RhostsRSAAuthentication no
<nowiki># similar for protocol version 2</nowiki>
HostbasedAuthentication no
<nowiki># Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication</nowiki>
<nowiki>#IgnoreUserKnownHosts yes</nowiki>
<nowiki># To enable empty passwords, change to yes (NOT RECOMMENDED)</nowiki>
PermitEmptyPasswords no
<nowiki># Change to yes to enable challenge-response passwords (beware issues with</nowiki>
<nowiki># some PAM modules and threads)</nowiki>
ChallengeResponseAuthentication no
<nowiki># Change to no to disable tunnelled clear text passwords</nowiki>
<nowiki>#PasswordAuthentication yes</nowiki>
<nowiki># Kerberos options</nowiki>
<nowiki>#KerberosAuthentication no</nowiki>
<nowiki>#KerberosGetAFSToken no</nowiki>
<nowiki>#KerberosOrLocalPasswd yes</nowiki>
<nowiki>#KerberosTicketCleanup yes</nowiki>
<nowiki># GSSAPI options</nowiki>
<nowiki>#GSSAPIAuthentication no</nowiki>
<nowiki>#GSSAPICleanupCredentials yes</nowiki>
<nowiki># Cipher selection</nowiki>
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
<nowiki>#UseLogin no</nowiki>
<nowiki>#MaxStartups 10:30:60</nowiki>
<nowiki>#Banner /etc/issue.net</nowiki>
<nowiki># Allow client to pass locale environment variables</nowiki>
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
<nowiki># Set this to 'yes' to enable PAM authentication, account processing,</nowiki>
<nowiki># and session processing. If this is enabled, PAM authentication will</nowiki>
<nowiki># be allowed through the ChallengeResponseAuthentication and</nowiki>
<nowiki># PasswordAuthentication. </nowiki> Depending on your PAM configuration,
<nowiki># PAM authentication via ChallengeResponseAuthentication may bypass</nowiki>
<nowiki># the setting of "PermitRootLogin without-password".</nowiki>
<nowiki># If you just want the PAM account and session checks to run without</nowiki>
<nowiki># PAM authentication, then enable this but set PasswordAuthentication</nowiki>
<nowiki># and ChallengeResponseAuthentication to 'no'.</nowiki>
UsePAM yes
 
{| style="border-spacing:0;width:7.874cm;"
|- style="border:none;padding:0.049cm;"
||
|| Curve25519
OpenSSH 6.6p1 now supports Curve25519.
|-
|}
 
==== Tested with Version ====
* OpenSSH 6.5 (Debian Jessie)
 
==== Settings ====
Listing 11. Important OpenSSH 6.5 security settings
<nowiki># Package generated configuration file</nowiki>
<nowiki># See the sshd_config(5) manpage for details</nowiki>
<nowiki># What ports, IPs and protocols we listen for</nowiki>
Port 22
<nowiki># Use these options to restrict which interfaces/protocols sshd will bind to</nowiki>
<nowiki>#ListenAddress ::</nowiki>
<nowiki>#ListenAddress 0.0.0.0</nowiki>
Protocol 2
<nowiki># HostKeys for protocol version 2</nowiki>
HostKey /etc/ssh/ssh_host_rsa_key
<nowiki>#HostKey /etc/ssh/ssh_host_dsa_key</nowiki>
<nowiki>#HostKey /etc/ssh/ssh_host_ecdsa_key</nowiki>
HostKey /etc/ssh/ssh_host_ed25519_key
<nowiki>#Privilege Separation is turned on for security</nowiki>
UsePrivilegeSeparation yes
<nowiki># Lifetime and size of ephemeral version 1 server key</nowiki>
KeyRegenerationInterval 3600
ServerKeyBits 1024
<nowiki># Logging</nowiki>
SyslogFacility AUTH
LogLevel INFO
<nowiki># Authentication:</nowiki>
LoginGraceTime 120
PermitRootLogin no # or 'without-password' to allow SSH key based login
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
<nowiki>#AuthorizedKeysFile </nowiki>    %h/.ssh/authorized_keys
<nowiki># Don't read the user's ~/.rhosts and ~/.shosts files</nowiki>
IgnoreRhosts yes
<nowiki># For this to work you will also need host keys in /etc/ssh_known_hosts</nowiki>
RhostsRSAAuthentication no
<nowiki># similar for protocol version 2</nowiki>
HostbasedAuthentication no
<nowiki># Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication</nowiki>
<nowiki>#IgnoreUserKnownHosts yes</nowiki>
<nowiki># To enable empty passwords, change to yes (NOT RECOMMENDED)</nowiki>
PermitEmptyPasswords no
<nowiki># Change to yes to enable challenge-response passwords (beware issues with</nowiki>
<nowiki># some PAM modules and threads)</nowiki>
ChallengeResponseAuthentication no
<nowiki># Change to no to disable tunnelled clear text passwords</nowiki>
<nowiki>#PasswordAuthentication yes</nowiki>
<nowiki># Kerberos options</nowiki>
<nowiki>#KerberosAuthentication no</nowiki>
<nowiki>#KerberosGetAFSToken no</nowiki>
<nowiki>#KerberosOrLocalPasswd yes</nowiki>
<nowiki>#KerberosTicketCleanup yes</nowiki>
<nowiki># GSSAPI options</nowiki>
<nowiki>#GSSAPIAuthentication no</nowiki>
<nowiki>#GSSAPICleanupCredentials yes</nowiki>
<nowiki># Cipher selection</nowiki>
Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
KexAlgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
<nowiki>#UseLogin no</nowiki>
<nowiki>#MaxStartups 10:30:60</nowiki>
<nowiki>#Banner /etc/issue.net</nowiki>
<nowiki># Allow client to pass locale environment variables</nowiki>
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
<nowiki># Set this to 'yes' to enable PAM authentication, account processing,</nowiki>
<nowiki># and session processing. If this is enabled, PAM authentication will</nowiki>
<nowiki># be allowed through the ChallengeResponseAuthentication and</nowiki>
<nowiki># PasswordAuthentication. </nowiki> Depending on your PAM configuration,
<nowiki># PAM authentication via ChallengeResponseAuthentication may bypass</nowiki>
<nowiki># the setting of "PermitRootLogin without-password".</nowiki>
<nowiki># If you just want the PAM account and session checks to run without</nowiki>
<nowiki># PAM authentication, then enable this but set PasswordAuthentication</nowiki>
<nowiki># and ChallengeResponseAuthentication to 'no'.</nowiki>
UsePAM yes
 
==== Tested with Version ====
* OpenSSH 6.0p1 (Debian wheezy)
 
==== Settings ====
Listing 12. Important OpenSSH 6.0 security settings
<nowiki># Package generated configuration file</nowiki>
<nowiki># See the sshd_config(5) manpage for details</nowiki>
<nowiki># What ports, IPs and protocols we listen for</nowiki>
Port 22
<nowiki># Use these options to restrict which interfaces/protocols sshd will bind to</nowiki>
<nowiki>#ListenAddress ::</nowiki>
<nowiki>#ListenAddress 0.0.0.0</nowiki>
Protocol 2
<nowiki># HostKeys for protocol version 2</nowiki>
HostKey /etc/ssh/ssh_host_rsa_key
<nowiki>#HostKey /etc/ssh/ssh_host_dsa_key</nowiki>
<nowiki>#HostKey /etc/ssh/ssh_host_ecdsa_key</nowiki>
<nowiki>#Privilege Separation is turned on for security</nowiki>
UsePrivilegeSeparation yes
<nowiki># Lifetime and size of ephemeral version 1 server key</nowiki>
KeyRegenerationInterval 3600
ServerKeyBits 768
<nowiki># Logging</nowiki>
SyslogFacility AUTH
LogLevel INFO
<nowiki># Authentication:</nowiki>
LoginGraceTime 120
PermitRootLogin no # or 'without-password' to allow SSH key based login
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
<nowiki>#AuthorizedKeysFile </nowiki>    %h/.ssh/authorized_keys
<nowiki># Don't read the user's ~/.rhosts and ~/.shosts files</nowiki>
IgnoreRhosts yes
<nowiki># For this to work you will also need host keys in /etc/ssh_known_hosts</nowiki>
RhostsRSAAuthentication no
<nowiki># similar for protocol version 2</nowiki>
HostbasedAuthentication no
<nowiki># Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication</nowiki>
<nowiki>#IgnoreUserKnownHosts yes</nowiki>
<nowiki># To enable empty passwords, change to yes (NOT RECOMMENDED)</nowiki>
PermitEmptyPasswords no
<nowiki># Change to yes to enable challenge-response passwords (beware issues with</nowiki>
<nowiki># some PAM modules and threads)</nowiki>
ChallengeResponseAuthentication no
<nowiki># Change to no to disable tunnelled clear text passwords</nowiki>
<nowiki>#PasswordAuthentication yes</nowiki>
<nowiki># Kerberos options</nowiki>
<nowiki>#KerberosAuthentication no</nowiki>
<nowiki>#KerberosGetAFSToken no</nowiki>
<nowiki>#KerberosOrLocalPasswd yes</nowiki>
<nowiki>#KerberosTicketCleanup yes</nowiki>
<nowiki># GSSAPI options</nowiki>
<nowiki>#GSSAPIAuthentication no</nowiki>
<nowiki>#GSSAPICleanupCredentials yes</nowiki>
<nowiki># Cipher selection</nowiki>
Ciphers aes256-ctr,aes128-ctr
MACs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
KexAlgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
<nowiki>#UseLogin no</nowiki>
<nowiki>#MaxStartups 10:30:60</nowiki>
<nowiki>#Banner /etc/issue.net</nowiki>
<nowiki># Allow client to pass locale environment variables</nowiki>
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
<nowiki># Set this to 'yes' to enable PAM authentication, account processing,</nowiki>
<nowiki># and session processing. If this is enabled, PAM authentication will</nowiki>
<nowiki># be allowed through the ChallengeResponseAuthentication and</nowiki>
<nowiki># PasswordAuthentication. </nowiki> Depending on your PAM configuration,
<nowiki># PAM authentication via ChallengeResponseAuthentication may bypass</nowiki>
<nowiki># the setting of "PermitRootLogin without-password".</nowiki>
<nowiki># If you just want the PAM account and session checks to run without</nowiki>
<nowiki># PAM authentication, then enable this but set PasswordAuthentication</nowiki>
<nowiki># and ChallengeResponseAuthentication to 'no'.</nowiki>
UsePAM yes
 
{| style="border-spacing:0;width:17cm;"
|- style="border:none;padding:0.049cm;"
||
|| Older '''Linux''' systems won’t support SHA2. PuTTY (Windows) does not support RIPE-MD160. Curve25519, AES-GCM and UMAC are only available upstream (OpenSSH 6.6p1). DSA host keys have been removed on purpose, the DSS standard does not support for DSA keys stronger than 1024bit [[https://bettercrypto.org/#_footnotedef_5 5]] which is far below current standards (see section #section:keylengths). Legacy systems can use this configuration and simply omit unsupported ciphers, key exchange algorithms and MACs.
|-
|}
 
==== References ====
The OpenSSH [https://www.openssh.org/cgi-bin/man.cgi?query=sshd_config sshd_config — OpenSSH SSH daemon configuration file] man page is the best reference:
 
==== How to test ====
Connect a client with verbose logging enabled to the SSH server
$ ssh -vvv myserver.com
and observe the key exchange in the output.
 
=== Cisco ASA ===
 
==== Tested with Versions ====
* 9.1(3)
 
==== Settings ====
crypto key generate rsa modulus 2048
ssh version 2
ssh key-exchange group dh-group14-sha1
 
{| style="border-spacing:0;width:17cm;"
|- style="border:none;padding:0.049cm;"
||
|| When the ASA is configured for SSH, by default both SSH versions 1 and 2 are allowed. In addition to that, only a group1 DH-key-exchange is used. This should be changed to allow only SSH version 2 and to use a key-exchange with group14. The generated RSA key should be 2048 bit (the actual supported maximum). A non-cryptographic best practice is to reconfigure the lines to only allow SSH-logins.
|-
|}
 
==== References ====
[https://www.cisco.com/en/US/docs/security/asa/asa91/configuration/general/admin_management.html CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.1]
 
==== How to test ====
Connect a client with verbose logging enabled to the SSH server
$ ssh -vvv myserver.com
and observe the key exchange in the output.
 
=== Cisco IOS ===
 
==== Tested with Versions ====
Table 3. Tested Myservice Versions
 
{| style="border-spacing:0;width:9.259cm;"
|- style="border:none;padding:0.049cm;"
|| Program Version
|| OS/Distribution/Version
|| Comment
|- style="border:none;padding:0.049cm;"
|| 15.0
|| IOS
||
|- style="border:none;padding:0.049cm;"
|| 15.1
|| IOS
||
|- style="border:none;padding:0.049cm;"
|| 15.2
|| IOS
||
|-
|}
 
==== Settings ====
crypto key generate rsa modulus 4096 label SSH-KEYS
ip ssh rsa keypair-name SSH-KEYS
ip ssh version 2
ip ssh dh min size 2048
line vty 0 15
transport input ssh
 
{| style="border-spacing:0;width:17cm;"
|- style="border:none;padding:0.049cm;"
||
|| Same as with the ASA, also on IOS by default both SSH versions 1 and 2 are allowed and the DH-key-exchange only use a DH-group of 768 Bit. In IOS, a dedicated Key-pair can be bound to SSH to reduce the usage of individual keys-pairs. From IOS Version 15.0 onwards, 4096 Bit rsa keys are supported and should be used according to the paradigm "use longest supported key". Also, do not forget to disable telnet vty access.
|-
|}
 
==== References ====
[https://www.cisco.com/c/en/us/support/docs/security-vpn/secure-shell-ssh/4145-ssh.html Cisco SSH]
 
{| style="border-spacing:0;width:17cm;"
|- style="border:none;padding:0.049cm;"
||
|| This guide is a basic SSH reference for all routers and switches. Pleaes refer to the specific documentation of the device and IOS version that you are configuring.
|-
|}
 
==== How to test ====
Connect a client with verbose logging enabled to the SSH server
$ ssh -vvv switch.example.net
and observe the key exchange in the output.
 
== Mailservers ==
This section documents the most common mail servers. Mail servers may usually be grouped into three categories:* Mail Submission Agent (MSA)
* Mail Transfer Agent (MTA) / Mail Exchanger (MX)
* Mail Delivery Agent (MDA)
An email client (mail user agent, MUA) submits mail to the MSA. This is usually been done using the Simple Mail Transfer Protocol (SMTP). Afterwards, the mail is transmitted by the MTA over the Internet to the MTA of the receiver. This happens again via SMTP. Finally, the mail client of the receiver will fetch mail from an MDA usually via the Internet Message Access Protocol (IMAP) or the Post Office Protocol (POP).
As MSAs and MTAs both use SMTP as transfer protocols, both functionalities may often be implemented with the same software. On the other hand, MDA software might or might not implement both IMAP and POP.
 
=== TLS usage in mail server protocols ===
Email protocols support TLS in two different ways. It may be added as a protocol wrapper on a different port. This method is referred to as Implicit TLS or as protocol variants SMTPS, IMAPS and POP3S. The other method is to establish a cleartext session first and switch to TLS afterwards by issuing the STARTTLS command.
SMTP between MTAs usually makes use of opportunistic TLS. This means that an MTA will accept TLS connections when asked for it but will not require it. MTAs should always try opportunistic TLS handshakes outgoing and always accept incoming opportunistic TLS.
 
=== Recommended configuration ===
We recommend to use the following settings for Mail Transfer Agents:* correctly setup MX, A and PTR RRs without using CNAMEs at all
* the hostname used as HELO/EHLO in outgoing mail shall match the PTR RR
* enable opportunistic TLS, using the STARTTLS mechanism on port 25
* Implicit TLS on port 465 may be offered additionally
* use server and client certificates (most server certificates are client certificates as well)
* either the common name or at least an alternate subject name of the certificate shall match the PTR RR (client mode) or the MX RR (server mode)
* do not use self signed certificates
* accept all cipher suites, as the alternative would be to fall back to cleartext transmission
* an execption to the last sentence is that MTAs '''MUST NOT''' enable SSLv2 protocol support, due to the [https://drownattack.com/drown-attack-paper.pdf DROWN attack].
For MSA operation we recommend:* listen on submission port 587 with mandatory STARTTLS
* optionally listen on port 465 with Implicit TLS
* enforce SMTP AUTH even for local networks
* ensure that SMTP AUTH is not allowed on unencrypted connections
* only use the recommended cipher suites if all connecting MUAs support them
For MDA operation we recommend:* listen on the protocol port (143 for IMAP, 110 for POP3) with mandatory STARTTLS
* optionally listen on Implicit TLS ports (993 for IMAPS, 995 for POP3S)
* enforce authentication even for local networks
* make sure that authentication is not allowed on unencrypted connections
* use the recommended cipher suites if all connecting MUAs support them
* turn off SSLv2 (see: [https://drownattack.com/drown-attack-paper.pdf DROWN attack])
 
=== Dovecot ===
 
==== Tested with Versions ====
Table 4. Tested Dovecot Versions
 
{| style="border-spacing:0;width:15.84cm;"
|- style="border:none;padding:0.049cm;"
! align=center| Program Version
! align=center| OS/Distribution/Version
! align=center| Comment
|- style="border:none;padding:0.049cm;"
|| 2.1.7
|| Debian Wheezy
|| without <tt>ssl_prefer_server_ciphers</tt>
|- style="border:none;padding:0.049cm;"
|| 2.2.9
|| Debian Jessie
||
|- style="border:none;padding:0.049cm;"
|| 2.2.13
|| Debian 8.2 Jessie
||
|- style="border:none;padding:0.049cm;"
|| 2.0.19apple1
|| OS X Server 10.8.5
|| without <tt>ssl_prefer_server_ciphers</tt>
|- style="border:none;padding:0.049cm;"
|| 2.2.9
|| Ubuntu 14.04 Trusty
||
|- style="border:none;padding:0.049cm;"
|| 2.2.31
|| Ubuntu 16.04.3 LTS
||
|-
|}
 
==== Settings ====
Listing 13. Dovecot SSL Configuration
<nowiki># SSL protocols to use, disable SSL, use TLS only</nowiki>
ssl_protocols = !SSLv3 !SSLv2
<nowiki># SSL ciphers to use</nowiki>
ssl_cipher_list = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA
<nowiki># Prefer the server's order of ciphers over client's. (Dovecot >=2.2.6 Required)</nowiki>
ssl_prefer_server_ciphers = yes
<nowiki># Diffie-Hellman parameters length (Default is 1024, Dovecot >=2.2.7 Required)</nowiki>
<nowiki># ToDo: for ReGenerating DH-Parameters:</nowiki>
<nowiki># manually delete /var/lib/dovecot/ssl-parameters.dat and restart</nowiki>
<nowiki># Dovecot to regenerate /var/lib/dovecot/ssl-parameters.dat</nowiki>
ssl_dh_parameters_length = 2048
<nowiki># Disable Compression (Dovecot >= 2.2.14 Required)</nowiki>
<nowiki># ssl_options = no_compression</nowiki>
 
{| style="border-spacing:0;width:17cm;"
|- style="border:none;padding:0.049cm;"
||
|| Dovecot 2.0, 2.1: Almost as good as dovecot 2.2. Dovecot does not ignore unknown configuration parameters. Does not support <tt>ssl_prefer_server_ciphers</tt>.
|-
|}
 
==== Limitations ====
* Dovecot <2.2.14 does not support disabling TLS compression.In >2.2.14 [[https://bettercrypto.org/#_footnotedef_6 6]] use: <tt>ssl_options = no_compression</tt>
* Dovecot <2.2.7 uses fixed DH parameters.In >2.2.7 [[https://bettercrypto.org/#_footnotedef_7 7]] greater DH-Parameters are supported: <tt>ssl_dh_parameters_length = 2048</tt>.
 
==== References ====
* [https://wiki2.dovecot.org/SSL https://wiki2.dovecot.org/SSL]
 
==== How to test ====
$ openssl s_client -crlf -connect example.com:993
$ openssl s_client -crlf -connect example.com:995
$ openssl s_client -crlf -starttls imap -connect example.com:143
$ openssl s_client -crlf -starttls pop3 -connect example.com:110
[https://github.com/nabla-c0d3/sslyze/releases SSLyze] offers scanning for common vulnerabilities and displays Protocols and Cipher-Suites.
$ sslyze.exe --regular example.com:993
$ sslyze.exe --regular example.com:995
$ sslyze.exe --regular --starttls=imap example.com:143
$ sslyze.exe --regular --starttls=pop3 example.com:110
 
=== cyrus-imapd ===
 
==== Tested with Versions ====
Table 5. Tested cyrus-imapd Versions
 
{| style="border-spacing:0;width:9.878cm;"
|- style="border:none;padding:0.049cm;"
! align=center| Program Version
! align=center| OS/Distribution/Version
! align=center| Comment
|- style="border:none;padding:0.049cm;"
|| 2.4.17
||
||
|-
|}
 
==== Settings ====
To activate SSL/TLS configure your certificate with
Listing 14. Activating TLS in cyrus
tls_cert_file: /etc/ssl/certs/ssl-cert-snakeoil.pem
tls_key_file: /etc/ssl/private/ssl-cert-snakeoil.key
Do not forget to add necessary intermediate certificates to the .pem file.
Limiting the ciphers provided may force (especially older) clients to connect without encryption at all! Sticking to the defaults is recommended.
If you still want to force strong encryption use
Listing 15. TLS cipher selection in cyrus
tls_cipher_list: EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA
cyrus-imapd loads hardcoded 1024 bit DH parameters using get_rfc2409_prime_1024() by default. If you want to load your own DH parameters add them PEM encoded to the certificate file given in tls_cert_file. Do not forget to re-add them after updating your certificate.
To prevent unencrypted connections on the STARTTLS ports you can set
Listing 16. Force encrypted connections in cyrus
allowplaintext: no
This way MUAs can only authenticate with plain text authentication schemes after issuing the STARTTLS command. Providing CRAM-MD5 or DIGEST-MD5 methods is not recommended.
To support POP3/IMAP on ports 110/143 with STARTTLS and POP3S/IMAPS on ports 995/993 check the SERVICES section in ''cyrus.conf''
Listing 17. STARTTLS for POP3/IMAP and POP3S/IMAPS in cyrus
SERVICES {
    imap  cmd="imapd -U 30"    listen="imap"  prefork=0 maxchild=100
    imaps cmd="imapd -s -U 30" listen="imaps" prefork=0 maxchild=100
    pop3  cmd="pop3d -U 30"    listen="pop3"  prefork=0 maxchild=50
    pop3s cmd="pop3d -s -U 30" listen="pop3s" prefork=0 maxchild=50
}
 
==== Limitations ====
cyrus-imapd currently (2.4.17, trunk) does not support elliptic curve cryptography. Hence, ECDHE will not work even if defined in your cipher list.
Currently there is no way to prefer server ciphers or to disable compression.
There is a working [https://bugzilla.cyrusimap.org/show_bug.cgi?id=3823 patch] for all three features.
 
==== How to test ====
$ openssl s_client -crlf -connect example.com:993
 
=== Postfix ===
 
==== Tested with Versions ====
Table 6. Tested Postfix Versions
 
{| style="border-spacing:0;width:11.739cm;"
|- style="border:none;padding:0.049cm;"
! align=center| Program Version
! align=center| OS/Distribution/Version
! align=center| Comment
|- style="border:none;padding:0.049cm;"
|| 2.9.6
|| Debian Wheezy
|| with OpenSSL 1.0.1e
|- style="border:none;padding:0.049cm;"
|| 2.11.0
|| Ubuntu 14.04.02
|| with OpenSSL 1.0.1f
|- style="border:none;padding:0.049cm;"
|| 3.1.0
|| Ubuntu 16.04.3 LTS
||
|-
|}
 
==== Settings ====
Postfix has five internal lists of ciphers, and the possibility to switch between those with <tt>smtpd_tls_ciphers</tt>. However, we leave this at its default value for server to server connections, as many mail servers only support outdated protocols and ciphers. We consider bad encryption still better than plain text transmission. For connections to MUAs, TLS is mandatory and the ciphersuite is modified.
 
===== MX and SMTP client configuration: =====
As discussed in section [https://bettercrypto.org/#smtp_general [smtp_general]], because of opportunistic encryption we do not restrict the list of ciphers or protocols for communication with other mail servers to avoid transmission in plain text. There are still some steps needed to enable TLS, all in ''main.cf'':
Listing 18. Opportunistic TLS in Postfix
<nowiki># TLS parameters</nowiki>
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
<nowiki># log TLS connection info</nowiki>
smtpd_tls_loglevel = 1
smtp_tls_loglevel = 1
<nowiki># enable opportunistic TLS support in the SMTP server and client</nowiki>
smtpd_tls_security_level = may
smtp_tls_security_level = may
<nowiki># if you have authentication enabled, only offer it after STARTTLS</nowiki>
smtpd_tls_auth_only = yes
tls_ssl_options = NO_COMPRESSION
 
===== MSA: =====
For the MSA <tt>smtpd</tt> process which communicates with mail clients, we first define the ciphers that are acceptable for the “mandatory” security level, again in ''main.cf'':
Listing 19. MSA TLS configuration in Postfix
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_protocols = !SSLv2, !SSLv3
lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3
lmtp_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_mandatory_ciphers=high
tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA
Then, we configure the MSA smtpd in ''master.cf'' with two additional options that are only used for this instance of smtpd:
Listing 20. MSA smtpd service configuration in Postfix
<nowiki># ==========================================================================</nowiki>
<nowiki># service type </nowiki> private unpriv  chroot  wakeup  maxproc command + args
<nowiki># </nowiki>              (yes)  (yes)  (no)    (never) (100)
<nowiki># ==========================================================================</nowiki>
<nowiki># ...</nowiki>
submission inet n      -      -      -      -      smtpd
    -o smtpd_tls_security_level=encrypt
    -o tls_preempt_cipherlist=yes
<nowiki># ...</nowiki>
For those users who want to use EECDH key exchange, it is possible to customize this via: The default value since Postfix 2.8 is “strong”.
Listing 21. EECDH customization in Postfix
smtpd_tls_eecdh_grade = ultra
 
==== Limitations ====
<tt>tls_ssl_options</tt> is supported from Postfix 2.11 onwards. You can leave the statement in the configuration for older versions, it will be ignored.
<tt>tls_preempt_cipherlist</tt> is supported from Postfix 2.8 onwards. Again, you can leave the statement in for older versions.
 
==== References ====
* Refer to [https://www.postfix.org/TLS_README.html https://www.postfix.org/TLS_README.html] for an in-depth discussion.
 
==== Additional settings ====
Postfix has two sets of built-in DH parameters that can be overridden with the <tt>smtpd_tls_dh512_param_file</tt> and <tt>smtpd_tls_dh1024_param_file</tt> options. The “dh512” parameters are used for export ciphers, while the “dh1024” ones are used for all other ciphers.
The “bit length” in those parameter names is just a name, so one could use stronger parameter sets; it should be possible to e.g. use the IKE Group14 parameters (see section [https://bettercrypto.org/#DH [DH]] without much interoperability risk, but we have not tested this yet.
 
==== How to test ====
You can check the effect of the settings with the following command:
$ zegrep "TLS connection established from.*with cipher" /var/log/mail.log | awk '{printf("%s %s %s %s\n", $12, $13, $14, $15)}' | sort | uniq -c | sort -n
      1 SSLv3 with cipher DHE-RSA-AES256-SHA
    23 TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384
    60 TLSv1 with cipher ECDHE-RSA-AES256-SHA
    270 TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384
    335 TLSv1 with cipher DHE-RSA-AES256-SHA
$ openssl s_client -starttls smtp -crlf -connect example.com:25
 
=== Exim ===
 
==== Tested with Versions ====
Table 7. Tested Exim Versions
 
{| style="border-spacing:0;width:11.739cm;"
|- style="border:none;padding:0.049cm;"
! align=center| Program Version
! align=center| OS/Distribution/Version
! align=center| Comment
|- style="border:none;padding:0.049cm;"
|| 4.82
|| Debian Jessie
||
|- style="border:none;padding:0.049cm;"
|| 4.82
|| Ubuntu 14.04.2
|| with OpenSSL 1.0.1e
|-
|}
It is highly recommended to read [https://exim.org/exim-html-current/doc/html/spec_html/ch-encrypted_smtp_connections_using_tlsssl.html Encrypted SMTP connections using TLS/SSL] first.
 
===== MSA mode (submission): =====
In the main config section of Exim add:
Listing 22. Certificate selection in Exim (MSA)
tls_certificate = /etc/ssl/exim.crt
tls_privatekey = /etc/ssl/exim.pem
Don’t forget to add intermediate certificates to the .pem file if needed.
Tell Exim to advertise STARTTLS in the EHLO answer to everyone:
Listing 23. TLS advertise in Exim (MSA)
tls_advertise_hosts = *
If you want to support legacy SMTPS on port 465, and STARTTLS on smtp(25)/submission(587) ports set
Listing 24. STARTTLS and SMTPS in Exim (MSA)
daemon_smtp_ports = smtp : smtps : submission
tls_on_connect_ports = 465
It is highly recommended to limit SMTP AUTH to SSL connections only. To do so add
Listing 25. SSL-only authentication in Exim (MSA)
server_advertise_condition = ${if eq{$tls_cipher}{}{no}{yes}}
to every authenticator defined.
Add the following rules on top of your acl_smtp_mail:
Listing 26. Submission mode in Exim (MSA)
acl_smtp_mail = acl_check_mail
acl_check_mail:
  warn hosts = *
    control = submission/sender_retain
  accept
This switches Exim to submission mode and allows addition of missing “Message-ID” and “Date” headers.
It is not advisable to restrict the default cipher list for MSA mode if you don’t know all connecting MUAs. If you still want to define one please consult the Exim documentation or ask on the exim-users mailinglist.
The cipher used is written to the logfiles by default. You may want to add
log_selector = <whatever your log_selector already contains> +tls_certificate_verified +tls_peerdn +tls_sni
to get even more TLS information logged.
 
===== Server mode (incoming): =====
In the main config section of Exim add:
Listing 27. Certificate selection in Exim (Server)
tls_certificate = /etc/ssl/exim.crt
tls_privatekey = /etc/ssl/exim.pem
Don’t forget to add intermediate certificates to the .pem file if needed.
Tell Exim to advertise STARTTLS in the EHLO answer to everyone:
Listing 28. TLS advertise in Exim (Server)
tls_advertise_hosts = *
Listen on smtp(25) port only:
Listing 29. STARTTLS on SMTP in Exim (Server)
daemon_smtp_ports = smtp
It is not advisable to restrict the default cipher list for opportunistic encryption as used by SMTP. Do not use cipher lists recommended for HTTPS! If you still want to define one please consult the Exim documentation or ask on the exim-users mailinglist.
If you want to request and verify client certificates from sending hosts set
Listing 30. TLS certificate verification in Exim (Server)
tls_verify_certificates = /etc/pki/tls/certs/ca-bundle.crt
tls_try_verify_hosts = *
<tt>tls_try_verify_hosts</tt> only reports the result to your logfile. If you want to disconnect such clients you have to use
tls_verify_hosts = *
The cipher used is written to the logfiles by default. You may want to add
log_selector = <whatever your log_selector already contains> +tls_certificate_verified +tls_peerdn +tls_sni
to get even more TLS information logged.
 
===== Client mode (outgoing): =====
Exim uses opportunistic encryption in the SMTP transport by default.
Client mode settings have to be done in the configuration section of the smtp transport (<tt>driver = smtp</tt>).
If you want to use a client certificate (most server certificates can be used as client certificate, too) set
Listing 31. Certificate selection in Exim (Client)
tls_certificate = /etc/ssl/exim.crt
tls_privatekey = /etc/ssl/exim.pem
This is recommended for MTA-MTA traffic.
Do not limit ciphers without a very good reason. In the worst case you end up without encryption at all instead of some weak encryption. Please consult the Exim documentation if you really need to define ciphers.
 
===== OpenSSL: =====
Exim already disables SSLv2 by default. We recommend to add
openssl_options = +all +no_sslv2 +no_sslv3 +no_compression +cipher_server_preference
to the main configuration.
 
{| style="border-spacing:0;width:17cm;"
|- style="border:none;padding:0.049cm;"
||
|| <tt>+all</tt> is misleading here since OpenSSL only activates the most common workarounds. But that’s how <tt>SSL_OP_ALL</tt> is defined.
|-
|}
You do not need to set dh_parameters. Exim with OpenSSL by default uses parameter initialization with the “2048-bit MODP Group with 224-bit Prime Order Subgroup” defined in section 2.2 of RFC 5114&nbsp;(ike23). If you want to set your own DH parameters please read the TLS documentation of exim.
 
===== GnuTLS: =====
GnuTLS is different in only some respects to OpenSSL:* <tt>tls_require_ciphers</tt> needs a GnuTLS priority string instead of a cipher list. It is recommended to use the defaults by not defining this option. It highly depends on the version of GnuTLS used. Therefore it is not advisable to change the defaults.
* There is no option like <tt>openssl_options</tt>
 
{| style="border-spacing:0;width:17cm;"
|- style="border:none;padding:0.049cm;"
||
|| Exim string expansion
Most of the options accept expansion strings. This way you can e.g. set cipher lists or STARTTLS advertisement conditionally. Please follow the link to the official Exim documentation to get more information.
|-
|}
 
===== Limitations: =====
Exim currently (4.82) does not support elliptic curves with OpenSSL. This means that ECDHE is not used even if defined in your cipher list. There already is a working [https://bugs.exim.org/show_bug.cgi?id=1397 patch] to provide support.
 
==== How to test ====
$ openssl s_client -starttls smtp -crlf -connect example.com:25
 
=== Cisco ESA/IronPort ===
 
==== Tested with Versions ====
Table 8. Tested Cisco ESA/IronPort Versions
 
{| style="border-spacing:0;width:9.878cm;"
|- style="border:none;padding:0.049cm;"
! align=center| Program Version
! align=center| OS/Distribution/Version
! align=center| Comment
|- style="border:none;padding:0.049cm;"
||
|| AsyncOS 7.6.1
||
|- style="border:none;padding:0.049cm;"
||
|| AsyncOS 8.5.6
||
|- style="border:none;padding:0.049cm;"
||
|| AsyncOS 9.0.0
||
|- style="border:none;padding:0.049cm;"
||
|| AsyncOS 9.5.0
||
|- style="border:none;padding:0.049cm;"
||
|| AsyncOS 9.6.0
||
|- style="border:none;padding:0.049cm;"
||
|| AsyncOS 9.7.0
||
|-
|}
 
==== Settings ====
Import your certificate(s) using the WEBUI (Network → Certificates).
From AsyncOS 9.0 and up, SSL parameters for inbound SMTP, outbound SMTP and GUI access can be configured in one step via the WEBUI (System Administration → SSL Configuration, see figure [https://bettercrypto.org/#ach_ironport_ssl_settings IronPort Default SSL Settings]). For all versions prior to 9.0, you have to connect to the CLI and configure the SSL parameters separately, as shown below using inbound SMTP as example.
ironport.example.com> sslconfig
sslconfig settings:
  GUI HTTPS method:  sslv3tlsv1
  GUI HTTPS ciphers: RC4-SHA:RC4-MD5:ALL
  Inbound SMTP method:  sslv3tlsv1
  Inbound SMTP ciphers: RC4-SHA:RC4-MD5:ALL
  Outbound SMTP method:  sslv3tlsv1
  Outbound SMTP ciphers: RC4-SHA:RC4-MD5:ALL
Choose the operation you want to perform:
- GUI - Edit GUI HTTPS ssl settings.
- INBOUND - Edit Inbound SMTP ssl settings.
- OUTBOUND - Edit Outbound SMTP ssl settings.
- VERIFY - Verify and show ssl cipher list.
[]> inbound
Enter the inbound SMTP ssl method you want to use.
1. SSL v2.
2. SSL v3
3. TLS v1
4. SSL v2 and v3
5. SSL v3 and TLS v1
6. SSL v2, v3 and TLS v1
[5]> 3
Enter the inbound SMTP ssl cipher you want to use.
[RC4-SHA:RC4-MD5:ALL]> EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA
sslconfig settings:
  GUI HTTPS method:  sslv3tlsv1
  GUI HTTPS ciphers: RC4-SHA:RC4-MD5:ALL
  Inbound SMTP method:  tlsv1
  Inbound SMTP ciphers: EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
  Outbound SMTP method:  sslv3tlsv1
  Outbound SMTP ciphers: RC4-SHA:RC4-MD5:ALL
 
{| style="border-spacing:0;width:17cm;"
|- style="border:none;padding:0.049cm;"
||
|| Starting with AsyncOS 9.0 SSLv3 is disabled by default, whereas the default cipher set is still <tt>RC4-SHA:RC4-MD5:ALL</tt> (see figure [https://bettercrypto.org/#ach_ironport_ssl_settings IronPort Default SSL Settings]).
|-
|}
[[Image:Bild3.png|top|alt="IronPort Default SSL Settings"]]
Figure 1. IronPort Default SSL Settings
After committing these changes in the CLI, you have to activate the use of TLS in several locations.
For inbound connections, first select the appropriate certificate in the settings of each listener you want to have TLS enabled on (Network → Listeners, see figure [https://bettercrypto.org/#ach_ironport_ssl_settings IronPort Default SSL Settings]). Afterwards, for each listener, configure all Mail Flow Policies which have their Connection Behavior set to “Accept” or “Relay” to at least prefer TLS (Mail Policies → Mail Flow Policies, see figure [https://bettercrypto.org/#ach_ironport_ssl_settings IronPort Default SSL Settings]). It is recommended to also enable TLS in the default Mail Flow Policy, because these settings will be inherited by newly created policies, unless specifically overwritten. + TLS can be enforced by creating a new Mail Flow Policy with TLS set to “required”, creating a new Sender Group defining the addresses of the sending mail servers for which you want to enforce encryption (Mail Policies → HAT Overview) and using this new Sender Group in conjunction with the newly created Mail Flow Policy.
[[Image:Bild4.png|top|alt="IronPort Listener Settings"]]
Figure 2. IronPort Listener Settings
[[Image:Bild5.png|top|alt="IronPort Mail Flow Policy Security Features"]]
Figure 3. IronPort Mail Flow Policy Security Features
TLS settings for outbound connections have to be configured within the Destination Controls (Mail Policies → Destination Controls). Choose the appropriate SSL certificate within the global settings and configure TLS to be preferred in the default profile to enable it for all outbound connections. After these two steps the Destination Control overview page should look like figure [https://bettercrypto.org/#ach_ironport_dest_control IronPort Destination Control overview] on page . To enforce TLS for a specific destination domain, add an entry to the Destination Control Table and set “TLS Support” to “required”.
[[Image:Bild6.png|top|alt="Destination Control overview"]]
Figure 4. IronPort Destination Control overview
 
==== Limitations ====
All AsyncOS releases prior to version 9.5 use OpenSSL 0.9.8. Therefore TLS 1.2 is not supported in these versions and some of the suggested ciphers won’t work. Starting with AsyncOS 9.5 TLS 1.2 is fully supported. [[https://bettercrypto.org/#_footnotedef_8 8]] You can check the supported ciphers on the CLI by using the option <tt>verify</tt> from within the <tt>sslconfig</tt> command:
[]> verify
Enter the ssl cipher you want to verify.
[]> EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA
DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH      Au=RSA  Enc=Camellia(256) Mac=SHA1
DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH      Au=RSA  Enc=Camellia(128) Mac=SHA1
DHE-RSA-AES256-SHA      SSLv3 Kx=DH      Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-RSA-AES128-SHA      SSLv3 Kx=DH      Au=RSA  Enc=AES(128)  Mac=SHA1
CAMELLIA128-SHA        SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(128) Mac=SHA1
AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
 
==== How to test ====
$ openssl s_client -starttls smtp -crlf -connect example.com:25
 
== Virtual Private Networks ==
Virtual Private Networks (VPN) provide means of connecting private networks over external / public transport networks. Since we do not control the transport networks we have to to take care about data integrity and privacy.
 
{| style="border-spacing:0;width:17cm;"
|- style="border:none;padding:0.049cm;"
||
|| Some providers also offer VPNs for connecting company networks via MPLS or simular technologies. The provider promises you that nobody else has access to your data trnfserred over their lines. You have to decide if this promise does fit to your information security requirements.
|-
|}
Basically there are two ways to ensure the privacy and integrity of the data sent via external lines. First you could utilize the built-in security of the Internet Protocol (IPsec). The other way are specific applications that encrypt the data before sending it over the line.
IPsec is an Internet standard (TODO RFC 6071). This guarantees the interoperability between implementations of different vendors. You can establish a secure connection with your customer or your supplier. On the other hand VPN applications mostly utilize TLS to secury the communication between the partners.
TODO: Descision criteria IPsec vs. VPN application.
 
=== IPsec ===
IPsec is the Internet standard to encrypt the transport of data between private networks.
 
==== Technology ====
We describe only the use the Internet Key Exchange (IKE) version 2 in this dodument. IKEv1 has some usage and security problems and should not be used any more. (TODO: reference).
 
==== Authentication ====
IPsec authentication should optimally be performed via RSA signatures, with a key size of 2048 bits or more. Configuring only the trusted CA that issued the peer certificate provides for additional protection against fake certificates.
If you need to use Pre-Shared Key (PSK) authentication:* Choose a ''random'', ''long enough'' PSK (see below)
* Use a ''separate'' PSK for any IPsec connection
* Change the PSKs regularly
* Think aboute a ''secure'' way to exchange the PSK. Sending an SMS it ''not'' secure.
The size of the PSK should not be shorter than the output size of the hash algorithm used in IKE.footnote[It is used in a HMAC, see RFC2104&nbsp; and the discussion starting in TODO: verify [http://www.vpnc.org/ietf-ipsec/02.ipsec/msg00268.html http://www.vpnc.org/ietf-ipsec/02.ipsec/msg00268.html].].
For a key composed only of upper- and lowercase letters, numbers, and two additional characters[[https://bettercrypto.org/#_footnotedef_9 9]], table&nbsp;#tab:IPSEC_psk_len gives the minimum lengths in characters.
 
===== Cryptographic Suites: =====
IPSEC Cryptographic Suites are pre-defined settings for all the items of a configuration; they try to provide a balanced security level and make setting up VPNs easier. [[https://bettercrypto.org/#_footnotedef_10 10]]
When using any of those suites, make sure to enable “Perfect Forward Secrecy“ for Phase 2, as this is not specified in the suites. The equivalents to the recommended ciphers suites in section [https://bettercrypto.org/#recommendedciphers Recommended cipher suites] are shown in table&nbsp;#tab:IPSEC_suites.
 
===== Phase 1: =====
TODO: Phase 1 and 2 are phrases from IKEv1. Re-write for IKEv2.
Alternatively to the pre-defined cipher suites, you can define your own, as described in this and the next section.
Phase 1 is the mutual authentication and key exchange phase; table&nbsp;#tab:IPSEC_ph1_params shows the parameters.
Use only “main mode“, as “aggressive mode“ has known security vulnerabilities [[https://bettercrypto.org/#_footnotedef_11 11]].
 
===== Phase 2: =====
Phase 2 is where the parameters that protect the actual data are negotiated; recommended parameters are shown in table #tab:IPSEC_ph2_params.
 
==== References ====
* Fergusen, N. and Schneier, B.: ''A Cryptographic Evaluation of IPsec'': [https://www.schneier.com/paper-ipsec.pdf https://www.schneier.com/paper-ipsec.pdf]
 
=== Check Point Next Generation Firewall ===
 
==== Tested with Versions ====
Table 9. Tested CheckPoint Versions
 
{| style="border-spacing:0;width:9.878cm;"
|- style="border:none;padding:0.049cm;"
! align=center| Program Version
! align=center| OS/Distribution/Version
! align=center| Comment
|- style="border:none;padding:0.049cm;"
|| R77
|| Secure Platform
||
|-
|}
 
==== Settings ====
Please see section [https://bettercrypto.org/#IPSECgeneral IPsec] for guidance on parameter choice. In this section, we will configure a strong setup according to ''Configuration A''.
This is based on the concept of a ''VPN Community'', which has all the settings for the gateways that are included in that community. Communities can be found in the <tt>IPSEC VPN</tt> tab of SmartDashboard.
[[Image:Bild7.png|top|alt="VPN Community encryption properties"]]
[https://bettercrypto.org/#fig:checkpoint_1 [fig:checkpoint_1]]
Either choose one of the encryption suites in the properties dialog (figure [https://bettercrypto.org/#checkpoint_1 [checkpoint_1]], or proceed to <tt>Custom Encryption...</tt>, where you can set encryption and hash for Phase 1 and 2 (figure [https://bettercrypto.org/#checkpoint_2 [checkpoint_2]].
[[Image:Bild8.png|top|alt="Custom Encryption Suite Properties"]]
[https://bettercrypto.org/#checkpoint_2 [checkpoint_2]]
The Diffie-Hellman groups and Perfect Forward Secrecy Settings can be found under <tt>Advanced Settings</tt> / <tt>Advanced VPN Properties</tt> (figure [https://bettercrypto.org/#checkpoint_3 [checkpoint_3]].
[[Image:Bild9.png|top|alt="Advanced VPN Properties"]]
[https://bettercrypto.org/#checkpoint_3 [checkpoint_3]]
 
==== Additional settings ====
For remote Dynamic IP Gateways, the settings are not taken from the community, but set in the <tt>Global Properties</tt> dialog under <tt>Remote Access</tt> / <tt>VPN Authentication and Encryption</tt>. Via the <tt>Edit...</tt> button, you can configure sets of algorithms that all gateways support (figure [https://bettercrypto.org/#checkpoint_4 [checkpoint_4]]).
[[Image:Bild10.png|top|alt="Remote Access Encryption Properties"]]
[https://bettercrypto.org/#checkpoint_4 [checkpoint_4]]
Please note that these settings restrict the available algorithms for ''all'' gateways, and also influence the VPN client connections.
 
==== References ====
* Check Point [https://sc1.checkpoint.com/documents/R77/CP_R77_VPN_AdminGuide/html_frameset.htm VPN R77 Administration Guide] (may require a UserCenter account to access)
 
=== TLS Based Applications ===
 
==== OpenVPN ====
 
==== Tested with Versions ====
Table 10. Tested OpenVPN Versions
 
{| style="border-spacing:0;width:14.91cm;"
|- style="border:none;padding:0.049cm;"
! align=center| Program Version
! align=center| OS/Distribution/Version
! align=center| Comment
|- style="border:none;padding:0.049cm;"
|| 2.3.10
|| Ubuntu Xenial 16.04.1 LTS
|| linked against openssl (libssl.so.1.0.0)
|- style="border:none;padding:0.049cm;"
|| 2.3.2
|| Debian Wheezy (backports)
|| linked against openssl (libssl.so.1.0.0)
|- style="border:none;padding:0.049cm;"
|| 2.2.1
|| Debian Wheezy
|| linked against openssl (libssl.so.1.0.0)
|- style="border:none;padding:0.049cm;"
|| 2.3.2
|| Windows
||
|-
|}
 
===== Settings =====
 
====== General ======
We describe a configuration with certificate-based authentication; see below for details on the <tt>easyrsa</tt> tool to help you with that.
OpenVPN uses TLS only for authentication and key exchange. The bulk traffic is then encrypted and authenticated with the OpenVPN protocol using those keys.
Note that while the <tt>tls-cipher</tt> option takes a list of ciphers that is then negotiated as usual with TLS, the <tt>cipher</tt> and <tt>auth</tt> options both take a single argument that must match on client and server.
OpenVPN duplexes the tunnel into a data and a control channel. The control channel is a usual TLS connection, the data channel currently uses encrypt-then-mac CBC, see [https://github.com/BetterCrypto/Applied-Crypto-Hardening/pull/91#issuecomment-75365286 https://github.com/BetterCrypto/Applied-Crypto-Hardening/pull/91#issuecomment-75365286]
 
====== Server Configuration ======
 
====== Client Configuration ======
Client and server have to use compatible configurations, otherwise they can’t communicate. The <tt>cipher</tt> and <tt>auth</tt> directives have to be identical.
 
==== Justification for special settings ====
OpenVPN 2.3.1 changed the values that the <tt>tls-cipher</tt> option expects from OpenSSL to IANA cipher names. That means from that version on you will get ''Deprecated TLS cipher name'' warnings for the configurations above. You cannot use the selection strings from section [https://bettercrypto.org/#recommendedciphers Recommended cipher suites] directly from 2.3.1 on, which is why we give an explicit cipher list here.
In addition, there is a 256 character limit on configuration file line lengths; that limits the size of cipher suites, so we dropped all ECDHE suites.
The configuration shown above is compatible with all tested versions.
 
==== References ====
* OpenVPN Documentation: ''Security Overview'' [https://openvpn.net/index.php/open-source/documentation/security-overview.html https://openvpn.net/index.php/open-source/documentation/security-overview.html]
 
==== Additional settings ====
 
===== Key renegotiation interval =====
The default for renegotiation of encryption keys is one hour (<tt>reneg-sec 3600</tt>). If you transfer huge amounts of data over your tunnel, you might consider configuring a shorter interval, or switch to a byte- or packet-based interval (<tt>reneg-bytes</tt> or <tt>reneg-pkts</tt>).
 
===== Insecure ciphers =====
Sweet32[[https://bettercrypto.org/#_footnotedef_12 12]] is an attack on 64-bit block ciphers, such as <tt>3DES</tt> and <tt>Blowfish</tt> in OpenVPN. The following ciphers are affected, and should no longer be used:* BF-*
* DES* (including 3DES variants)
* RC2-*
The following ciphers are not affected:* AES-*
* CAMELLIA-*
* SEED-*
According to mitigation section on Sweet32 website[[https://bettercrypto.org/#_footnotedef_13 13]] users users should change the cipher from the DES or Blowfish to AES (<tt>cipher AES-128-CBC</tt>). If cipher change is not possible users can mitigate the attack by forcing frequent rekeying (<tt>reneg-bytes 64000000</tt>).
 
===== Fixing “easy-rsa” =====
When installing an OpenVPN server instance, you are probably using <tt>easy-rsa</tt> to generate keys and certificates. The file <tt>vars</tt> in the easyrsa installation directory has a number of settings that should be changed to secure values:
This will enhance the security of the key generation by using RSA keys with a length of 4096 bits, and set a lifetime of one year for the server/client certificates and five years for the CA certificate.
 
{| style="border-spacing:0;width:17cm;"
|- style="border:none;padding:0.049cm;"
||
|| 4096 bits is only an example of how to do this with easy-rsa. See also section [https://bettercrypto.org/#keylengths Keylengths] for a discussion on keylengths.
|-
|}
In addition, edit the <tt>pkitool</tt> script and replace all occurrences of <tt>sha1</tt> with <tt>sha256</tt>, to sign the certificates with SHA256.
 
==== Limitations ====
Note that the ciphersuites shown by <tt>openvpn --show-tls</tt> are ''known'', but not necessarily ''supported'' [[https://bettercrypto.org/#_footnotedef_14 14]].
Which cipher suite is actually used can be seen in the logs:
<tt>Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-CAMELLIA256-SHA, 2048 bit RSA</tt>
 
=== PPTP ===
PPTP is considered insecure, Microsoft recommends to _use a more secure VPN tunnel_[[https://bettercrypto.org/#_footnotedef_15 15]].
There is a cloud service that cracks the underlying MS-CHAPv2 authentication protocol for the price of USD&nbsp;200[[https://bettercrypto.org/#_footnotedef_16 16]], and given the resulting MD4 hash, all PPTP traffic for a user can be decrypted.
 
=== Cisco ASA ===
The following settings reflect our recommendations as best as possible on the Cisco ASA platform. These are - of course - just settings regarding SSL/TLS (i.e. Cisco AnyConnect) and IPsec. For further security settings regarding this platform the appropriate Cisco guides should be followed.
 
==== Tested with Versions ====
Table 11. Tested Cisco ASA Versions
 
{| style="border-spacing:0;width:9.878cm;"
|- style="border:none;padding:0.049cm;"
! align=center| Program Version
! align=center| OS/Distribution/Version
! align=center| Comment
|- style="border:none;padding:0.049cm;"
|| 9.1(3)
|| X-series model
||
|-
|}
 
==== Settings ====
crypto ipsec ikev2 ipsec-proposal AES-Fallback
protocol esp encryption aes-256 aes-192 aes
protocol esp integrity sha-512 sha-384 sha-256
crypto ipsec ikev2 ipsec-proposal AES-GCM-Fallback
protocol esp encryption aes-gcm-256 aes-gcm-192 aes-gcm
protocol esp integrity sha-512 sha-384 sha-256
crypto ipsec ikev2 ipsec-proposal AES128-GCM
protocol esp encryption aes-gcm
protocol esp integrity sha-512
crypto ipsec ikev2 ipsec-proposal AES192-GCM
protocol esp encryption aes-gcm-192
protocol esp integrity sha-512
crypto ipsec ikev2 ipsec-proposal AES256-GCM
protocol esp encryption aes-gcm-256
protocol esp integrity sha-512
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 sa-strength-enforcement
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group14
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256-GCM AES192-GCM AES128-GCM AES-GCM-Fallback AES-Fallback
crypto map Outside-DMZ_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside-DMZ_map interface Outside-DMZ
crypto ikev2 policy 1
encryption aes-gcm-256
integrity null
group 14
prf sha512 sha384 sha256 sha
lifetime seconds 86400
crypto ikev2 policy 2
encryption aes-gcm-256 aes-gcm-192 aes-gcm
integrity null
group 14
prf sha512 sha384 sha256 sha
lifetime seconds 86400
crypto ikev2 policy 3
encryption aes-256 aes-192 aes
integrity sha512 sha384 sha256
group 14
prf sha512 sha384 sha256 sha
lifetime seconds 86400
crypto ikev2 policy 4
encryption aes-256 aes-192 aes
integrity sha512 sha384 sha256 sha
group 14
prf sha512 sha384 sha256 sha
lifetime seconds 86400
crypto ikev2 enable Outside-DMZ client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
ssl server-version tlsv1-only
ssl client-version tlsv1-only
ssl encryption dhe-aes256-sha1 dhe-aes128-sha1 aes256-sha1 aes128-sha1
ssl trust-point ASDM_TrustPoint0 Outside-DMZ
 
==== Justification for special settings ====
New IPsec policies have been defined which do not make use of ciphers that may be cause for concern. Policies have a "Fallback" option to support legacy devices.
3DES has been completely disabled as such Windows XP AnyConnect Clients will no longer be able to connect.
The Cisco ASA platform does not currently support RSA Keys above 2048bits.
Legacy ASA models (e.g. 5505, 5510, 5520, 5540, 5550) do not offer the possibility to configure for SHA256/SHA384/SHA512 nor AES-GCM for IKEv2 proposals.
 
==== References ====
* [http://www.cisco.com/en/US/docs/security/asa/roadmap/asaroadmap.html http://www.cisco.com/en/US/docs/security/asa/roadmap/asaroadmap.html]
* [http://www.cisco.com/web/about/security/intelligence/nextgen_crypto.html http://www.cisco.com/web/about/security/intelligence/nextgen_crypto.html]
 
=== Openswan ===
 
==== Tested with Version ====
Table 12. Tested OpenS/WAN Versions
 
{| style="border-spacing:0;width:9.878cm;"
|- style="border:none;padding:0.049cm;"
! align=center| Program Version
! align=center| OS/Distribution/Version
! align=center| Comment
|- style="border:none;padding:0.049cm;"
|| 2.6.39
|| Gentoo
||
|-
|}
 
==== Settings ====
 
{| style="border-spacing:0;width:17cm;"
|- style="border:none;padding:0.049cm;"
||
|| The available algorithms depend on your kernel configuration (when using protostack=netkey) and/or build-time options.
|-
|}
To list the supported algorithms
$ ipsec auto --status | less
and look for ’algorithm ESP/IKE’ at the beginning.
aggrmode=no
<nowiki># ike format: cipher-hash;dhgroup</nowiki>
<nowiki># recommended ciphers:</nowiki>
<nowiki># - aes</nowiki>
<nowiki># recommended hashes:</nowiki>
<nowiki># - sha2_256 with at least 43 byte PSK</nowiki>
<nowiki># - sha2_512 with at least 86 byte PSK</nowiki>
<nowiki># recommended dhgroups:</nowiki>
<nowiki># - modp2048 = DH14</nowiki>
<nowiki># - modp3072 = DH15</nowiki>
<nowiki># - modp4096 = DH16</nowiki>
<nowiki># - modp6144 = DH17</nowiki>
<nowiki># - modp8192 = DH18</nowiki>
ike=aes-sha2_256;modp2048
type=tunnel
phase2=esp
<nowiki># esp format: cipher-hash;dhgroup</nowiki>
<nowiki># recommended ciphers configuration A:</nowiki>
<nowiki># - aes_gcm_c-256 = AES_GCM_16</nowiki>
<nowiki># - aes_ctr-256</nowiki>
<nowiki># - aes_ccm_c-256 = AES_CCM_16</nowiki>
<nowiki># - aes-256</nowiki>
<nowiki># additional ciphers configuration B:</nowiki>
<nowiki># - camellia-256</nowiki>
<nowiki># - aes-128</nowiki>
<nowiki># - camellia-128</nowiki>
<nowiki># recommended hashes configuration A:</nowiki>
<nowiki># - sha2-256</nowiki>
<nowiki># - sha2-384</nowiki>
<nowiki># - sha2-512</nowiki>
<nowiki># - null (only with GCM/CCM ciphers)</nowiki>
<nowiki># additional hashes configuration B:</nowiki>
<nowiki># - sha1</nowiki>
<nowiki># recommended dhgroups: same as above</nowiki>
phase2alg=aes_gcm_c-256-sha2_256;modp2048
salifetime=8h
pfs=yes
auto=ignore
 
==== How to test ====
Start the vpn and using
$ ipsec auto --status | less
and look for ’IKE algorithms wanted/found’ and ’ESP algorithms wanted/loaded’.
 
==== References ====
* [https://www.openswan.org/ https://www.openswan.org/]
 
=== tinc ===
 
==== Tested with Versions ====
Table 13. Tested tinc Versions
 
{| style="border-spacing:0;width:13.349cm;"
|- style="border:none;padding:0.049cm;"
! align=center| Program Version
! align=center| OS/Distribution/Version
! align=center| Comment
|- style="border:none;padding:0.049cm;"
|| 1.0.23
|| Gentoo
|| linked against OpenSSL 1.0.1e
|- style="border:none;padding:0.049cm;"
|| 1.0.23
|| Sabayon
|| linked against OpenSSL 1.0.1e
|-
|}
 
===== Defaults =====
tinc uses 2048 bit RSA keys, Blowfish-CBC, and SHA1 as default settings and suggests the usage of CBC mode ciphers. Any key length up to 8192 is supported and it does not need to be a power of two. OpenSSL Ciphers and Digests are supported by tinc.
 
===== Settings =====
Generate keys with
$ tincd -n NETNAME -K8192
Old keys will not be deleted (but disabled), you have to delete them manually. Add the following lines to your tinc.conf on all machines
 
===== References =====
* tincd(8) man page
* tinc.conf(5) man page
* [http://www.tinc-vpn.org/pipermail/tinc/2014-January/003538.html tinc mailinglist http://www.tinc-vpn.org/pipermail/tinc/2014-January/003538.html]
 
== PGP/GPG - Pretty Good Privacy ==
The [https://tools.ietf.org/search/rfc4880 OpenPGP protocol] defines a set of asymmetric- and symmetric encryption algorithms, signature methods and compression protocols. [https://gnupg.org/ GnuPG], a FOSS implementation of the OpenPGP standard, is widely used for mail encryption.
GnuPG signs a message, encrypts it symmetrically and encrypts the symmetric key and the hash with Bob’s public key asymmetrically.
Research on SHA-1 conducted back in 2005 (see: [https://www.schneier.com/blog/archives/2005/02/sha1_broken.html SHA-1 Broken]) as well as the first practical successful collision in early 2017 (see: [https://shattered.io/ SHAttered]) has made clear that collision attacks are a real threat to the security of the SHA-1 hash function.
Since SHA-1 is defined as a must implementation by the OpenPGP specification, GnuPG is still using it. Currently settings should be adapted to preferably avoid using SHA-1.
When using GnuPG, there are a couple of things to take care of:* keylengths (see: [https://bettercrypto.org/#keylengths Keylengths])
* randomness (see: [https://bettercrypto.org/#rngs Random Number Generators])
* preference of symmetric encryption algorithm (see: [https://bettercrypto.org/#ciphersuites Architectural overview])
* preference of hash function (see: [https://bettercrypto.org/#ciphersuites Architectural overview])
Properly dealing with key material, passphrases and the web-of-trust is outside of the scope of this document. The [https://www.gnupg.org/ GnuPG website] has a good tutorial on GnuPG.
After 31 December 2017 GnuPG version 2.0.x is no longer supported and [https://lists.gnupg.org/pipermail/gnupg-announce/2017q3/000413.html shall not be used anymore]. Use the new long term version 2.1 instead.
 
=== Hashing ===
Avoid SHA-1 by preferring better hashing methods. GnuPG. Edit <tt>$HOME/.gnupg/gpg.conf</tt>:
Listing 32. Digest selection in GnuPG
personal-digest-preferences SHA512
cert-digest-algo SHA512
default-preference-list AES256 CAMELLIA256 AES192 CAMELLIA192 AES CAMELLIA128 TWOFISH SHA512 SHA384 SHA256 BZIP2 ZLIB ZIP
 
=== Key Generation ===
Because of lack of forward secrecy (see: [https://bettercrypto.org/#pfs [pfs]]) in OpenPGP it is preferable to use large asymmetric keys for long term communication protection. A RSA key of <tt>4096</tt> bits should provide enough confidentiality for the next 10 years (see: [https://www.keylength.com/ Cryptographic Key Length Recommendation]).
Listing 33. New key generation with GnuPG version 2.1
$ gpg --batch --full-gen-key $HOME/Desktop/params.txt`
Listing 34. Parameters for key generation with GnuPG version 2.1
Key-Type: RSA
Key-Length: 4096
Subkey-Type: RSA
Subkey-Length: 4096
Name-Real: <your-name>
Name-Email: <your-email-address>
Passphrase: <password>
Expires: 2y
<nowiki># My preferences: AES256, CAMELLIA256, AES192, CAMELLIA192, AES128, CAMELLIA128, TWOFISH, SHA512, SHA384, SHA256, BZIP2, ZLIB and ZIP</nowiki>
Preferences: S9 S13 S8 S12 S7 S11 S10 H10 H9 H8 Z3 Z2 Z1
 
{| style="border-spacing:0;width:17cm;"
|- style="border:none;padding:0.049cm;"
||
|| The preferences parameters S9 to Z1 correspond to AES256, CAMELLIA256, AES192, CAMELLIA192, AES, CAMELLIA128, TWOFISH, SHA512, SHA384, SHA256, BZIP2, ZLIB and ZIP. The parameters 3DES, SHA-1 and uncompressed are set automatically by GnuPG.
|-
|}
 
=== ECC - Elliptic Curve Cryptography ===
Since the release of [https://www.gnupg.org/faq/whats-new-in-2.1.html GnuPG version 2.1] end-2014 ECC is supported. Older versions though are still widely used therefore ECC is not yet applicable in practice.
 
== IPMI, ILO and other lights out management solutions ==
Consider creating an unrouted management VLAN and access that only via VPN.
 
{| style="border-spacing:0;width:17cm;"
|- style="border:none;padding:0.049cm;"
||
|| We ''strongly'' recommend that any remote management system for servers such as ILO, iDRAC, IPMI based solutions and similar systems ''never'' be connected to the public internet.
|-
|}
 
== Instant Messaging Systems ==
 
=== General server configuration recommendations ===
For servers, we mostly recommend to apply what’s proposed by the [https://github.com/stpeter/manifesto Peter’s manifesto].
In short:* require the use of TLS for both client-to-server and server-to-server connections
* prefer or require TLS cipher suites that enable forward secrecy
* deploy certificates issued by well-known and widely-deployed certification authorities (CAs)
The last point being out-of-scope for this section, we will only cover the first two points.
 
=== ejabberd ===
 
==== Tested with Versions ====
* ejabberd 14.12, Debian 7 Wheezy
* ejabberd 14.12, Ubuntu 14.04 Trusty
* ejabberd 15.03, Ubuntu 14.04 Trusty
* ejabberd 16.01, Ubuntu 14.04 Trusty
 
==== Settings ====
ejabberd is one of the popular Jabber servers. In order to be compliant with the manifesto, you should adapt your configuration:
Listing 35. TLS setup for ejabberd
listen:
    -
        port: 5222
        module: ejabberd_c2s
        certfile: "/path/to/ssl.pem"
        starttls: true
        starttls_required: true
        protocol_options:
            - "no_sslv3"
            - "no_tlsv1"
            - "cipher_server_preference"
        max_stanza_size: 65536
        dhfile: "/path/to/dhparams.pem"
        shaper: c2s_shaper
        access: c2s
    -
        port: 5269
        module: ejabberd_s2s_in
s2s_use_starttls: required_trusted
s2s_certfile: "/path/to/ssl.pem"
s2s_dhfile: "/etc/ejabberd/dhparams.pem" # Available from version 15.03
s2s_protocol_options:
    - "no_sslv3"
    - "no_tlsv1"
    - "cipher_server_preference"
 
{| style="border-spacing:0;width:5.398cm;"
|- style="border:none;padding:0.049cm;"
||
|| Available from version 15.06
|-
|}
 
==== Additional settings ====
It is possible to explicitly specify a cipher string for TLS connections.
Listing 36. Specifying a cipher order and enforcing it
listen:
    -
        port: 5222
        module: ejabberd_c2s
        certfile: "/path/to/ssl.pem"
        starttls: true
        starttls_required: true
        protocol_options:
            - "no_sslv3"
            - "no_tlsv1"
        - "cipher_server_preference"
        max_stanza_size: 65536
        dhfile: "/path/to/dhparams.pem"
        ciphers: "EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA"
    -
        port: 5269
        module: ejabberd_s2s_in
s2s_use_starttls: required_trusted
s2s_certfile: "/path/to/ssl.pem"
s2s_dhfile: "/etc/ejabberd/dhparams.pem"
s2s_protocol_options:
    - "no_sslv3"
    - "no_tlsv1"
    - "cipher_server_preference"
s2s_ciphers: "EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA"
 
{| style="border-spacing:0;width:5.398cm;"
|- style="border:none;padding:0.049cm;"
||
|| Available from version 15.06
|- style="border:none;padding:0.049cm;"
||
|| Available from version 15.03
|-
|}
 
{| style="border-spacing:0;width:17cm;"
|- style="border:none;padding:0.049cm;"
||
|| Weak Ciphers
Note that we are setting the SSL option <tt>cipher_server_preference</tt>. This enforces our cipher order when negotiating which ciphers are used, as the cipher order of [https://blog.thijsalkema.de/blog/2013/09/02/the-state-of-tls-on-xmpp-3/ some clients chooses weak ciphers] over stronger ciphers.
|-
|}
Starting with version 15.03[[https://bettercrypto.org/#_footnotedef_17 17]], it is possible to use custom Diffie-Hellman-Parameters. This allows us to negotiate stronger Diffie-Hellman-keys, and also helps us avoid problems with using common [https://weakdh.org/ weak Diffie-Hellman-Parameters]. You can generate your own parameter file by running:
$ openssl dhparam -out dhparams.pem 4096
By default, ejabberd provides an administration website (look for the ejabberd_http module). Enable TLS protection for it like this:
    port: 5280
    module: ejabberd_http
    web_admin: true
    http_poll: true
    http_bind: true
    captcha: true
    certfile: "/path/to/ssl.pem"
    tls: true
 
==== Tested with Versions ====
* Debian Wheezy 2.1.10-4+deb7u1
 
==== Settings ====
Older versions of ejabberd use a different configuration file syntax. In order to be compliant with the manifesto, you should adapt your configuration[[https://bettercrypto.org/#_footnotedef_18 18]] as follows:
 
{listen,
    [
        {5222, ejabberd_c2s, [
        {access, c2s},
        {shaper, c2s_shaper},
        {max_stanza_size, 65536},
        starttls,
        starttls_required,
        {certfile, "/etc/ejabberd/ejabberd.pem"}
        ]},
    ]}.
 
{s2s_use_starttls, required_trusted}.
 
{s2s_certfile, "/etc/ejabberd/ejabberd.pem"}.
 
==== Additional settings ====
Older versions of ejabberd (< 2.0.0) need to be [https://hyperstruct.net/2007/06/20/installing-the-startcom-ssl-certificate-in-ejabberd/ patched] to be able to parse all of the certificates in the CA chain. Specifying a custom cipher string is only possible starting with version 13.12 (see configuration for version 14.12 above).
 
==== References ====
* [https://docs.ejabberd.im/ ejabberd, your superpowerful messaging framework]
 
==== How to test ====
[https://xmpp.net/ IM Observatory] is a useful website to test Jabber server configurations.
 
=== Chat privacy - Off-the-Record Messaging (OTR) ===
[https://otr.cypherpunks.ca/Protocol-v3-4.1.1.html Off-the-Record Messaging Protocol] works on top of the Jabber protocol. It adds to popular chat clients (Adium, Pidgin…​) the following properties for encrypted chats:* Authentication
* Integrity
* Confidentiality
* Forward secrecy
It basically uses Diffie-Hellman, AES and SHA1. Communicating over an insecure instant messaging network, OTR can be used for end to end encryption.
There are no specific configurations required but the protocol itself is worth to be mentioned.
 
=== Charybdis ===
There are numerous implementations of IRC servers. In this section, we choose ''Charybdis'' which serves as basis for [https://github.com/freenode/ircd-seven ircd-seven], developed and used by freenode. Freenode is actually the biggest IRC network[[https://bettercrypto.org/#_footnotedef_19 19]]. ''Charybdis'' is part of the ''Debian'' & ''Ubuntu'' distributions.
Listing 37. SSL relevant configuration for Charybdis/ircd-seven
/* Extensions */
<nowiki>#loadmodule "extensions/chm_sslonly_compat.so";</nowiki>
loadmodule "extensions/extb_ssl.so";
serverinfo {
    ssl_private_key = "etc/test.key";
    ssl_cert = "etc/test.cert";
    ssl_dh_params = "etc/dh.pem";
    <nowiki># set ssld_count as number of cores - 1</nowiki>
    ssld_count = 1;
};
listen {
    sslport = 6697;
};
 
=== SILC ===
[http://www.silcnet.org/ SILC] is instant messaging protocol publicly released in 2000. SILC is a per-default [https://en.wikipedia.org/wiki/SILC_(protocol) secure chat protocol] thanks to a generalized usage of symmetric encryption. Keys are generated by the server meaning that if compromised, communication could be compromised.
The protocol is not really popular anymore.
 
== Databases ==
 
=== Oracle ===
No information available / known.
 
=== MySQL ===
 
==== Tested with Versions ====
* MySQL 5.5 on Debian Wheezy
* MySQL 5.7.20 on Ubuntu 16.04.3
 
==== Settings ====
 
==== References ====
MySQL Documentation on [https://dev.mysql.com/doc/refman/5.7/en/using-encrypted-connections.html Configuring MySQL to Use Encrypted Connections].
 
==== How to test ====
After restarting the server run the following query to see if the ssl settings are correct:
show variables like '%ssl%';
 
=== DB2 ===
 
==== Tested with Version ====
We do not test this here, since we only reference other papers for DB2 so far.
 
==== Settings ====
 
===== ssl_cipherspecs: =====
In the link above the whole SSL-configuration is described in-depth. The following command shows only how to set the recommended ciphersuites.
Listing 38. Recommended and supported ciphersuites
db2 update dbm cfg using SSL_CIPHERSPECS
TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_128_GCM_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
 
==== References ====
IBM DB2 Documentation on ''Supported cipher suites''.[https://www.ibm.com/support/knowledgecenter/SSEPGG_9.7.0/com.ibm.db2.luw.admin.sec.doc/doc/c0053544.html https://www.ibm.com/support/knowledgecenter/SSEPGG_9.7.0/com.ibm.db2.luw.admin.sec.doc/doc/c0053544.html]
 
=== PostgreSQL ===
 
==== Tested with Versions ====
* Debian Wheezy and PostgreSQL 9.1
* Linux Mint 14 nadia / Ubuntu 12.10 quantal with PostgreSQL 9.1+136 and OpenSSL 1.0.1c
 
==== Settings ====
To start in SSL mode the <tt>server.crt</tt> and <tt>server.key</tt> must exist in the servers data directory <tt>$PGDATA</tt>.
 
{| style="border-spacing:0;width:13.102cm;"
|- style="border:none;padding:0.049cm;"
||
|| Starting with version 9.2, you have the possibility to set the path manually.
|-
|}
 
==== References ====
It’s recommended to read [https://www.postgresql.org/docs/9.1/runtime-config-connection.html#RUNTIME-CONFIG-CONNECTION-SECURITY Security and Authentication] in the manual.
PostgreSQL Documentation on [https://www.postgresql.org/docs/9.1/ssl-tcp.html Secure TCP/IP Connections with SSL].
PostgreSQL Documentation on [https://www.postgresql.org/docs/9.1/auth-pg-hba-conf.html Client Authentication].
 
==== How to test ====
To test your ssl settings, run <tt>psql</tt> with the sslmode parameter:
$ psql "sslmode=require host=postgres-server dbname=database" your-username
 
== Proxy Solutions ==
Within enterprise networks and corporations with increased levels of paranoia or at least some defined security requirements it is common '''not''' to allow direct connections to the public internet.
For this reason proxy solutions are deployed on corporate networks to intercept and scan the traffic for potential threats within sessions.
For encrypted traffic there are four options:* Block the connection because it cannot be scanned for threats.
* Bypass the threat-mitigation and pass the encrypted session to the client, which results in a situation where malicious content is transferred directly to the client without visibility to the security system.
* Intercept (i.e. terminate) the session at the proxy, scan there and re-encrypt the session towards the client (effectively MITM).
* Deploy special Certificate Authorities to enable Deep Packet Inspection on the wire.
While the latest solution might be the most "up to date", it arises a new front in the context of this paper, because the most secure part of a client’s connection could only be within the corporate network, if the proxy-server handles the connection to the destination server in an insecure manner.
Conclusion: Don’t forget to check your proxy solutions SSL-capabilities. Also do so for your reverse proxies!
 
=== Bluecoat / Symantec ===
Blue Coat Systems was a well-known manufacturer of enterprise proxy appliances. In 2016 it was acquired by Symantec. The products are now known as Symantec ProxySG and Advanced Secure Gateway (ASG).
The description below is for the original Blue Coat SG Operating System (SGOS).
BlueCoat Proxy SG Appliances can be used as forward and reverse proxies. The reverse proxy feature is rather under-developed, and while it is possible and supported, there only seems to be limited use of this feature "in the wild" - nonetheless there are a few cipher suites to choose from, when enabling SSL features.
 
==== Tested with Versions ====
 
{| style="border-spacing:0;width:10.343cm;"
|- style="border:none;padding:0.049cm;"
! align=center| Proxy Appliance
! align=center| SGOS 6.5.x
! align=center| Blue Coat, now Symantec
|-
|}
 
==== Only allow TLS 1.0,1.1 and 1.2 protocols: ====
$conf t
$(config)ssl
$(config ssl)edit ssl-device-profile default
$(config device-profile default)protocol tlsv1 tlsv1.1 tlsv1.2
  ok
 
==== Select your accepted cipher-suites: ====
$conf t
Enter configuration commands, one per line.  End with CTRL-Z.
$(config)proxy-services
$(config proxy-services)edit ReverseProxyHighCipher
$(config ReverseProxyHighCipher)attribute cipher-suite
Cipher#  Use        Description        Strength
<nowiki>------- </nowiki> ---  <nowiki>----------------------- </nowiki> <nowiki>--------</nowiki>
      1  yes            AES128-SHA256      High
      2  yes            AES256-SHA256      High
      3  yes              AES128-SHA    Medium
      4  yes              AES256-SHA      High
      5  yes      DHE-RSA-AES128-SHA      High
      6  yes      DHE-RSA-AES256-SHA      High
              [...]
    13  yes          EXP-RC2-CBC-MD5    Export
Select cipher numbers to use, separated by commas: 2,5,6
  ok
The same protocols are available for forward proxy settings and should be adjusted accordingly: In your local policy file add the following section:
<ssl>
    DENY server.connection.negotiated_ssl_version=(SSLV2, SSLV3)
Disabling protocols and ciphers in a forward proxy environment could lead to unexpected results on certain (misconfigured?) webservers (i.e. ones accepting only SSLv2/3 protocol connections)
 
=== HAProxy ===
See [https://www.haproxy.org/ https://www.haproxy.org/]
See [https://timtaubert.de/blog/2014/11/the-sad-state-of-server-side-tls-session-resumption-implementations/ https://timtaubert.de/blog/2014/11/the-sad-state-of-server-side-tls-session-resumption-implementations/]
See [https://cbonte.github.io/haproxy-dconv/configuration-1.5.html#5.1-npn https://cbonte.github.io/haproxy-dconv/configuration-1.5.html#5.1-npn]
See [https://cbonte.github.io/haproxy-dconv/configuration-1.5.html#3.2-tune.ssl.cachesize https://cbonte.github.io/haproxy-dconv/configuration-1.5.html#3.2-tune.ssl.cachesize]
See [https://kura.io/2014/07/02/haproxy-ocsp-stapling/ https://kura.io/2014/07/02/haproxy-ocsp-stapling/]
See [https://kura.io/2015/01/27/hpkp-http-public-key-pinning-with-haproxy/ https://kura.io/2015/01/27/hpkp-http-public-key-pinning-with-haproxy/]
HAProxy can be used as loadbalancer and proxy for TCP and HTTP-based applications. Since version 1.5 it supports SSL and IPv6.
 
==== Tested with Versions ====
HAProxy 1.5.11 with OpenSSL 1.0.1e on Debian Wheezy
 
==== Settings ====
Listing 39. global configuration
global
    ssl-default-bind-ciphers EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
    ssl-default-bind-options no-sslv3 no-tls-tickets #disable SSLv3
    tune.ssl.default-dh-param 2048 #tune DH to 2048
Listing 40. frontend configuration
frontend public
    bind *:80
    bind *:443 ssl crt server.pem
    mode http
    redirect scheme https code 301 if !{ ssl_fc } # redirect HTTP to HTTPS
Listing 41. backend configuration
backend backend
    mode http
    server server 192.168.1.1:80 check
    http-request set-header X-Forwarded-Port %[dst_port]
    http-request add-header X-Forwarded-Proto https if { ssl_fc }
    rspadd Strict-Transport-Security:\ max-age=15768000;\ includeSubDomains #enable HSTS header for this backend
 
==== Additional Settings ====
 
==== Enable NPN Support: ====
    bind *:443 ssl crt server.pem npn "http/1.1,http/1.0"
Append the npn command in the frontend configuration of HAProxy.
 
==== Enable OCSP stapling: ====
HAProxy supports since version 1.5.0 OCSP stapling. To enable it you have to generate the OCSP singing file in the same folder, with the same name as your certificate file plus the extension .ocsp. (e.g. your certificate file is named server.crt then the OCSP file have to be named server.crt.oscp)To generate the OCSP file use these commands:
$ openssl x509 -in your.certificate.crt -noout -ocsp_uri # <- get your ocsp uri
$ openssl ocsp -noverify -issuer ca.root.cert.crt -cert your.certificate.crt -url "YOUR OCSP URI" -respout your.certificate.crt.ocsp
Reload HAProxy and now OCSP stapling should be enabled.Note: This OCSP signature file is only valid for a limited time. The simplest way of updating this file is by using cron.daily or something similar.
 
==== Enable HPKP: ====
Get certificate informations:
$ openssl x509 -in server.crt -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | base64
Then you append the returned string in the HAProxy configuration. Add the following line to the backend configuration:
rspadd Public-Key-Pins:\ pin-sha256="YOUR_KEY";\ max-age=15768000;\ includeSubDomains
Reload HAProxy and HPKP should now be enabled.Note: Keep in mind to generate a backup key in case of problems with your primary key file.
 
==== How to test ====
See appendix [https://bettercrypto.org/#tools Tools]
 
=== Pound ===
 
==== Tested with Versions ====
Pound 2.6
See [http://www.apsis.ch/pound http://www.apsis.ch/pound]
See [https://help.ubuntu.com/community/Pound https://help.ubuntu.com/community/Pound]
 
==== Settings ====
Listing 42. HTTPS Listener in Pound
<nowiki># HTTP Listener, redirects to HTTPS</nowiki>
ListenHTTP
    Address 10.10.0.10
    Port    80
    Service
        Redirect "https://some.site.tld"
    End
End
<nowiki>## HTTPS Listener</nowiki>
ListenHTTPS
    Address      10.10.0.10
    Port        443
    AddHeader    "Front-End-Https: on"
    Cert        "/path/to/your/cert.pem"
    <nowiki>## See 'man ciphers'.</nowiki>
    Ciphers      "TLSv1.2:TLSv1.1:!SSLv3:!SSLv2:EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA"
    Service
        BackEnd
            Address 10.20.0.10
            Port 80
        End
    End
End
 
=== stunnel ===
 
==== Tested with Versions ====
* stunnel 4.53-1.1ubuntu1 on Ubuntu 14.04 Trusty with OpenSSL 1.0.1f, without disabling Secure Client-Initiated Renegotiation
* stunnel 5.02-1 on Ubuntu 14.04 Trusty with OpenSSL 1.0.1f
* stunnel 4.53-1.1 on Debian Wheezy with OpenSSL 1.0.1e, without disabling Secure Client-Initiated Renegotiation
 
==== Settings ====
Listing 43. HTTPS Listener in stunnel
ciphers = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
curve = secp384r1
options = NO_SSLv2
options = NO_SSLv3
options = cipher_server_preference
<nowiki>; Secure Client-Initiated Renegotiation can only be disabled wit stunnel >= 4.54</nowiki>
<nowiki>;renegotiation = no</nowiki>
 
==== Additional information ====
Secure Client-Initiated Renegotiation can only be disabled for stunnel versions >= 4.54, when the renegotiation parameter has been added (See changelog).
 
==== References ====
stunnel documentation: [https://www.stunnel.org/static/stunnel.html https://www.stunnel.org/static/stunnel.html]
stunnel changelog: [https://www.stunnel.org/sdf_ChangeLog.html https://www.stunnel.org/sdf_ChangeLog.html]
 
==== How to test ====
See appendix [https://bettercrypto.org/#tools Tools]
 
== Kerberos ==
This section discusses various implementations of the Kerberos 5 authentication protocol on Unix and Unix-like systems as well as on Microsoft Windows.
 
=== Overview ===
Kerberos provides mutual authentication of two communicating parties, e.g. a user using a network service. The authentication process is mediated by a trusted third party, the Kerberos key distribution centre (KDC). Kerberos implements secure single-sign-on across a large number of network protocols and operating systems. Optionally, Kerberos can be used to create encrypted communications channels between the user and service.
 
==== Recommended reading ====
An understanding of the Kerberos protocol is necessary for properly implementing a Kerberos setup. Also, in the following section some knowledge about the inner workings of Kerberos is assumed. Therefore we strongly recommend reading the excellent introduction [http://gost.isi.edu/publications/kerberos-neuman-tso.html Kerberos: An Authentication Service for Computer Networks] first.
No further overview over Kerberos terminology and functions will be provided, for a discussion and a selection of relevant papers refer to [https://web.mit.edu/kerberos/papers.html Kerberos Papers and Documentation].
The Kerberos protocol over time has been extended with a variety of extensions and Kerberos implementations provide additional services in addition to the aforementioned KDC. All discussed implementations provide support for trust relations between multiple realms, an administrative network service (kerberos-adm, kadmind) as well as a password changing service (kpasswd). Sometimes, alternative database backends for ticket storage, X.509 and SmartCard authentication are provided. Of those, only administrative and password changing services will be discussed.
 
{| style="border-spacing:0;width:17cm;"
|- style="border:none;padding:0.049cm;"
||
|| Protocol versions
Only the Kerberos 5 protocol and implementation will be discussed. Kerberos 4 is obsolete, insecure and its use is strongly discouraged.
|-
|}
 
==== Providing a suitable Setup for secure Kerberos Operations ====
The aim of Kerberos is to unify authentication across a wide range of services, for many different users and use cases and on many computer platforms. The resulting complexity and attack surface make it necessary to carefully plan and continuously evaluate the security of the overall ecosystem in which Kerberos is deployed. Several assumptions are made on which the security of a Kerberos infrastructure relies:* Every KDC in a realm needs to be trustworthy. The KDC’s principal database must not become known to or changed by an attacker. The contents of the principal database enables the attacker to impersonate any user or service in the realm.
* Synchronisation between KDCs must be secure, reliable and frequent. An attacker that is able to intercept or influence synchronisation messages obtains or influences parts of the principal database, enabling impersonation of affected principals. Unreliable or infrequent synchronisation enlarges the window of vulnerability after disabling principals or changing passwords that have been compromised or lost.
* KDCs must be available. An attacker is able to inhibit authentication for services and users by cutting off their access to a KDC.
* Users’ passwords must be secure. Since Kerberos is a single-sign-on mechanism, a single password may enable an attacker to access a large number of services.
* Service keytabs need to be secured against unauthorized access similarly to SSL/TLS server certificates. Obtaining a service keytab enables an attacker to impersonate a service.
* DNS infrastructure must be secure and reliable. Hosts that provide services need consistent forward and reverse DNS entries. The identity of a service is tied to its DNS name, similarly the realm a client belongs to as well as the KDC, kpasswd and kerberos-adm servers may be specified in DNS TXT and SRV records. Spoofed DNS entries will cause denial-of-service situations and might endanger ([https://bettercrypto.org/#bibliography-default-MITKrbDoc:realm_config i_mit_Realm configuration decisions_, 2013]) the security of a Kerberos realm.
* Clients and servers in Kerberos realms need to have synchronized clocks. Tickets in Kerberos are created with a limited, strictly enforced lifetime. This limits an attacker’s window of opportunity for various attacks such as the decryption of tickets in sniffed network traffic or the use of tickets read from a client computer’s memory. Kerberos will refuse tickets with old timestamps or timestamps in the future. This would enable an attacker with access to a systems clock to deny access to a service or all users logging in from a specific host.
Therefore we suggest:* Secure all KDCs at least as strongly as the most secure service in the realm.
* Dedicate physical (i.e. non-VM) machines to be KDCs. Do not run any services on those machines beyond the necessary KDC, kerberos-adm, kpasswd and kprop services.
* Restrict physical and administrative access to the KDCs as severely as possible. E.g. ssh access should be limited to responsible adminstrators and trusted networks.
* Encrypt and secure the KDCs backups.
* Replicate your primary KDC to at least one secondary KDC.
* Prefer easy-to-secure replication (propagation in Kerberos terms) methods.Especially avoid LDAP replication and database backends. LDAP enlarges the attack surface of your KDC and facilitates unauthorized access to the principal database e.g. by ACL misconfiguration.
* Use DNSSEC. If that is not possible, at least ensure that all servers and clients in a realm use a trustworthy DNS server contacted via secure network links.
* Use NTP on a trustworthy server via secure network links.
* Avoid services that require the user to enter a password which is then checked against Kerberos. Prefer services that are able to use authentication via service tickets, usually not requiring the user to enter a password except for the initial computer login to obtain a ticket-granting-ticket (TGT). This limits the ability of attackers to spy out passwords through compromised services.
 
=== Implementations ===
 
==== Cryptographic Algorithms in Kerberos Implementations ====
The encryption algorithms (commonly abbreviated ’etypes’ or ’enctypes’) in Kerberos exchanges are subject to negotiation between both sides of an exchange. Similarly, a ticket granting ticket (TGT), which is usually obtained on initial login, can only be issued if the principal contains a version of the password encrypted with an etype that is available both on the KDC and on the client where the login happens.
Therefore, to ensure interoperability among components using different implementations as shown in [https://bettercrypto.org/#kerberos_enctypes Commonly supported Kerberos encryption types by implementation. Algorithm names], a selection of available etypes is necessary. However, the negotiation process may be subject to downgrade attacks and weak hashing algorithms endanger integrity protection and password security.
 
{| style="border-spacing:0;width:17cm;"
|- style="border:none;padding:0.049cm;"
||
|| This means that the <tt>des3-cbc-sha1-kd</tt> or <tt>rc4-hmac algorithms</tt> should not be used, except if there is a concrete and unavoidable need to do so. Other <tt>des3-*</tt>, <tt>des-*</tt> and <tt>rc4-hmac-exp</tt> algorithms should never be used.
|-
|}
Along the lines of cipher string B, the following etypes are recommended: <tt>aes256-cts-hmac-sha1-96</tt> <tt>camellia256-cts-cmac</tt> <tt>aes128-cts-hmac-sha1-96</tt> <tt>camellia128-cts-cmac</tt>.
Commonly supported Kerberos encryption types by implementation. Algorithm names
according to RFC3961, except where aliases can be used or the algorithm is named differently altogether as stated ([https://bettercrypto.org/#bibliography-default-rfc3962 Raeburn, 2005])
 
{| style="border-spacing:0;width:17cm;"
|- style="border:none;padding:0.049cm;"
! align=center| ID
! align=center| Algorithm
! align=center| MIT
! align=center| Heimdal
! align=center| GNU Shishi
! align=center| MS ActiveDirectory
|- style="border:none;padding:0.049cm;"
|| 1
|| des-cbc-crc
|| yes
|| yes
|| yes
|| yes
|- style="border:none;padding:0.049cm;"
|| 2
|| des-cbc-md4
|| yes
|| yes
|| yes
|| no
|- style="border:none;padding:0.049cm;"
|| 3
|| des-cbc-md5
|| yes
|| yes
|| yes
|| yes
|- style="border:none;padding:0.049cm;"
|| 6
|| des3-cbc-none
|| no
|| yes
|| yes
|| no
|- style="border:none;padding:0.049cm;"
|| 7
|| des3-cbc-sha1
|| no
|| yes[[https://bettercrypto.org/#_footnotedef_20 20]]
|| no
|| no
|- style="border:none;padding:0.049cm;"
|| 16
|| des3-cbc-sha1-kd
|| yes[[https://bettercrypto.org/#_footnotedef_21 21]]
|| yesfoonote:[named des3-cbc-sha1]
|| yes
|| no
|- style="border:none;padding:0.049cm;"
|| 17
|| aes128-cts-hmac-sha1-96
|| yes
|| yes
|| yes
|| yesfoonote:[since Vista, Server 2008]
|- style="border:none;padding:0.049cm;"
|| 18
|| aes256-cts-hmac-sha1-96
|| yes
|| yes
|| yes
|| yes[[https://bettercrypto.org/#_footnotedef_22 22]]
|- style="border:none;padding:0.049cm;"
|| 23
|| rc4-hmac
|| yes
|| yes
|| yes
|| yes
|- style="border:none;padding:0.049cm;"
|| 24
|| rc4-hmac-exp
|| yes
|| no
|| yes
|| yes
|- style="border:none;padding:0.049cm;"
|| 25
|| camellia128-cts-cmac
|| yes[[https://bettercrypto.org/#_footnotedef_23 23]]
|| no
|| no
|| no
|- style="border:none;padding:0.049cm;"
|| 26
|| camellia256-cts-cmac
|| yes[[https://bettercrypto.org/#_footnotedef_24 24]]
|| no
|| no
|| no
|-
|}
 
==== Existing installations ====
The configuration samples below assume new installations without preexisting principals.
For existing installations:* Existing setups should be migrated to a new master key if the current master key is using a weak enctype.
* When changing the list of supported_enctypes, principals where all enctypes are no longer supported will cease to work.
* Be aware that Kerberos 4 is obsolete and should not be used.
* Principals with weak enctypes pose an increased risk for password bruteforce attacks if an attacker gains access to the database.
To get rid of principals with unsupported or weak enctypes, a password change is usually the easiest way. Service principals can simply be recreated.
 
==== MIT krb5 ====
 
===== KDC configuration =====
In <tt>/etc/krb5kdc/kdc.conf</tt> set the following in your realm’s configuration:
Listing 44. Encryption flags for MIT krb5 KDC
supported_enctypes = aes256-cts-hmac-sha1-96:normal camellia256-cts-cmac:normal aes128-cts-hmac-sha1-96:normal camellia128-cts-cmac:normal
default_principal_flags = +preauth
In <tt>/etc/krb5.conf</tt> set in the <tt>[libdefaults]</tt> section:
Listing 45. Encryption flags for MIT krb5 client
[libdefaults]
allow_weak_crypto = false
permitted_enctypes= aes256-cts-hmac-sha1-96 camellia256-cts-cmac aes128-cts-hmac -sha1-96 camellia128-cts-cmac
default_tkt_enctypes= aes256-cts-hmac-sha1-96 camellia256-cts-cmac aes128-cts-hmac-sha1-96 camellia128-cts-cmac
default_tgs_enctypes= aes256-cts-hmac-sha1-96 camellia256-cts-cmac aes128-cts-hmac-sha1-96 camellia128-cts-cmac
 
===== Upgrading a MIT krb5 database to a new enctype =====
To check if an upgrade is necessary, execute the following on the KDC in question:
root@kdc.example.com:~# kdb5_util list_mkeys
Master keys for Principal: K/M@EXAMPLE.COM
KVNO: 1, Enctype: des-cbc-crc, Active on: Thu Jan 01 00:00:00 UTC 1970 *
 
{| style="border-spacing:0;width:15.658cm;"
|- style="border:none;padding:0.049cm;"
||
|| In this case, an old unsafe enctype is in use as indicated by the star following the key line.
|-
|}
To upgrade, proceed as follows. First create a new master key for the database with the appropriate enctype. You will be prompted for a master password that can later be used to decrypt the database. A stash-file containing this encryption key will also be written.
root@kdc.example.com:~# kdb5_util add_mkey -s -e aes256-cts-hmac-sha1-96
Creating new master key for master key principal 'K/M@EXAMPLE.COM'
You will be prompted for a new database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
Verify that the new master key has been successfully created. Note the key version number (KVNO) of the new master key, in this case 2.
root@kdc.example.com:~# kdb5_util list_mkeys
Master keys for Principal: K/M@EXAMPLE.COM
KVNO: 2, Enctype: aes256-cts-hmac-sha1-96, No activate time set
KVNO: 1, Enctype: des-cbc-crc, Active on: Thu Jan 01 00:00:00 UTC 1970 *
Set the new master key as the active master key by giving its KVNO. The active master key will be indicated by an asterisk in the master key list.
root@kdc.example.com:~# kdb5_util use_mkey 2
root@kdc.example.com:~# kdb5_util list_mkeys
Master keys for Principal: K/M@EXAMPLE.COM
KVNO: 2, Enctype: aes256-cts-hmac-sha1-96, Active on: Wed May 13 14:14:18 UTC 2015 *
KVNO: 1, Enctype: des-cbc-crc, Active on: Thu Jan 01 00:00:00 UTC 1970
Reencrypt all principals to the new master key.
root@kdc.example.com:~# kdb5_util update_princ_encryption
Re-encrypt all keys not using master key vno 2?
(type 'yes' to confirm)? yes
504 principals processed: 504 updated, 0 already current
After verifying that everything still works as desired it is possible to remove unused master keys.
root@kdc.example.com:~# kdb5_util purge_mkeys
Will purge all unused master keys stored in the 'K/M@EXAMPLE.COM' principal, are you sure?
(type 'yes' to confirm)? yes
OK, purging unused master keys from 'K/M@EXAMPLE.COM'...
Purging the following master key(s) from K/M@EXAMPLE.COM:
KVNO: 1
1 key(s) purged.
 
== Weblinks ==
# https://bettercrypto.org/
 
[[Kategorie:Verschlüsselung]]

Aktuelle Version vom 31. Mai 2023, 14:39 Uhr

Unterkategorien

Diese Kategorie enthält nur die folgende Unterkategorie:

S

Abgerufen von „https://wiki.foxtom.de/index.php?title=Kategorie:Kryptografie/Best_Practice&oldid=72379