Kryptografie/Best Practice: Unterschied zwischen den Versionen
K Dirkwagner verschob die Seite Verschlüsselung:Best Practice nach Kryptografie:Best Practice: Textersetzung - „Verschlüsselung“ durch „Kryptografie“ |
K Textersetzung - „GPG“ durch „GnuPG“ |
||
(28 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt) | |||
Zeile 1: | Zeile 1: | ||
=== Schlüssellängen === | |||
{{:Kryptografie/Schlüssellängen}} | |||
=== Secure Shell === | |||
{{:SSH/Kryptografie}} | |||
=== GnuPG === | |||
{{:Kryptografie/GnuPG}} | |||
{{:Kryptografie/Webserver}} | |||
=== Mailserver === | |||
{{:Kryptografie/Mailserver}} | |||
=== Proxy === | |||
{{:Kryptografie/Proxy}} | |||
=== VPN === | |||
{{:Kryptografie/VPN}} | |||
=== Datenbank === | |||
{{:Datenbank/Kryptografie}} | |||
<noinclude> | |||
[[Kategorie:Kryptografie/Best Practice]] | |||
</noinclude> |
Aktuelle Version vom 18. Februar 2024, 12:52 Uhr
Schlüssellängen
Empfehlungen
Verfahren | Schlüssellänge |
---|---|
Asymmetrische Public-Key-Kryptographie | 4096 Bit |
Kryptographie mit elliptischen Kurven | 512 Bit |
Symmetrische Algorithmen | 256 Bit |
Schlüssellängen müssen regelmäßig angepasst werden
- Auswahlkriterien für Algorithmus und Schlüssellänge
- Wert der Informationen
- Dauer des Schutzes
- Jahre, die Daten vertraulich bleiben müssen
keylength.com
Secure Shell
Umgang mit Schlüsselmaterial
Schlüsselmaterial identifiziert die kryptografischen Geheimnisse, aus denen ein Schlüssel besteht.
- Sämtliches Schlüsselmaterial muss als RESTRICTED-Daten behandelt werden
- Nur Personen mit spezieller Ausbildung und dem Bedarf an Wissen sollten Zugang zu Schlüsselmaterial haben.
- Das Schlüsselmaterial muss bei der Übertragung verschlüsselt werden.
- Schlüsselmaterial kann im Klartext gespeichert werden, aber nur mit einer angemessenen Zugangskontrolle (begrenzter Zugang).
Keys | Beschreibung |
---|---|
Server Keys | /etc/ssh/ssh_host_*key |
Client Keys | /.ssh/id_{rsa,dsa,ecdsa,ed25519} ~/.ssh/identity |
Chiffren und Algorithmen
- Wahl der Chiffren und Algorithmen
Aktuelle OpenSSH-Server und -Client unterstützen CHACHA20
- Wenn CHACHA20 (OpenSSH 6.5+) nicht verfügbar ist
- AES-GCM (OpenSSH 6.1+) und jeder andere Algorithmus, der EtM (Encrypt then MAC) verwendet legt die Paketlänge offen - was dem Angreifer einige Informationen liefert.
- NIST-Kurven (ecdh-sha2-nistp512,ecdh-sha2-nistp384,ecdh-sha2-nistp256) sind aus Kompatibilitätsgründen aufgeführt, aber die Verwendung von Kurve25519 wird generell bevorzugt.
- SSH protocol 2
- DH
- ECDH key-exchange
- forward secrecy
- Group sizes
Die verschiedenen Algorithmen, die von einer bestimmten OpenSSH-Version unterstützt werden, lassen sich mit den folgenden Befehlen auflisten
$ ssh -Q cipher $ ssh -Q cipher-auth $ ssh -Q mac $ ssh -Q kex $ ssh -Q key
Anmelde-Latenz
- Client-Schlüsselgröße und Anmelde-Latenz
Ermitteln der Auswirkungen der Verwendung größerer Schlüssel auf die Leistung.
- z.B. RSA 4096 Bytes Schlüssel - auf der Client-Seite
Tests
Idle, i7 4500 intel CPU
- OpenSSH_6.7p1
- OpenSSL 1.0.1l
- ed25519 server keys
Der folgende Befehl wird 10 Mal ausgeführt
time ssh localhost -i .ssh/id_thekey exit
- Ergebnisse
Client key | Minimum | Maximum | Average |
RSA 4096 | 120ms | 145ms | 127ms |
RSA 2048 | 120ms | 129ms | 127ms |
ed25519 | 117ms | 138ms | 120ms |
Zusammenfassung
- Latenzunterschiede sind nicht signifikant
- Sie beeinträchtigen die Leistung nicht wesentlich
Konfiguration
SSH/Kryptografie/Konfiguration
GnuPG
Apache
Note that any cipher suite starting with EECDH can be omitted, if in doubt. (Compared to the theory section, EECDH in Apache and ECDHE in OpenSSL are synonyms [4])
Tested with Versions
- Apache 2.2.22, Debian Wheezy with OpenSSL 1.0.1e
- Apache 2.4.6, Debian Jessie with OpenSSL 1.0.1e
- Apache 2.4.10, Debian Jessie 8.2 with OpenSSL 1.0.1k
- Apache 2.4.7, Ubuntu 14.04.2 Trusty with OpenSSL 1.0.1f
- Apache 2.4.6, CentOS Linux 7 (Core) with OpenSSL 1.0.1e
- Apache 2.4.18, Ubuntu 16.04.3 LTS with OpenSSL 1.0.2g
Settings
Enabled modules SSL and Headers are required.
- SSL configuration for an Apache vhost
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt SSLProtocol All -SSLv2 -SSLv3 SSLHonorCipherOrder On SSLCompression off Header always set Strict-Transport-Security "max-age=15768000" # Strict-Transport-Security: "max-age=15768000 ; includeSubDomains" Header always set Public-Key-Pins "pin-sha256=\"YOUR_HASH=\"; pin-sha256=\"YOUR_BACKUP_HASH=\"; max-age=7776000; report-uri=\"https://YOUR.REPORT.URL\"" SSLCipherSuite 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA'
Add six earth month HSTS header for all users… | |
If you want to protect all subdomains, use the following header. ALL subdomains HAVE TO support HTTPS if you use this! | |
CALL subdomains HAVE TO support HTTPS if you use this! At least use one Backup-Key and/or add whole CA, think of Cert-Updates! |
Additional settings
You might want to redirect everything to https:// if possible. In Apache you can do this with the following setting inside of a VirtualHost environment:
- https auto-redirect vhost
<VirtualHost *:80> Redirect permanent / https://SERVER_NAME/ </VirtualHost>
References
How to test
See appendix Tools
lighttpd
Tested with Versions
- lighttpd/1.4.31-4 with OpenSSL 1.0.1e on Debian Wheezy
- lighttpd/1.4.33 with OpenSSL 0.9.8o on Debian Squeeze (note that TLSv1.2 does not work in openssl 0.9.8 thus not all ciphers actually work)
- lighttpd/1.4.28-2 with OpenSSL 0.9.8o on Debian Squeeze (note that TLSv1.2 does not work in openssl 0.9.8 thus not all ciphers actually work)
- lighttpd/1.4.31, Ubuntu 14.04.2 Trusty with Openssl 1.0.1f
Settings
- SSL configuration for lighttpd
$SERVER["socket"] == "0.0.0.0:443" { ssl.engine = "enable" ssl.use-sslv2 = "disable" ssl.use-sslv3 = "disable" ssl.pemfile = "/etc/lighttpd/server.pem" ssl.ca-file = "/etc/ssl/certs/server.crt" ssl.cipher-list = "EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA" ssl.honor-cipher-order = "enable" setenv.add-response-header = ( "Strict-Transport-Security" => "max-age=15768000") # six months # use this only if all subdomains support HTTPS! # setenv.add-response-header = ( "Strict-Transport-Security" => "max-age=15768000; includeSubDomains") }
Starting with lighttpd version 1.4.29 Diffie-Hellman and Elliptic-Curve Diffie-Hellman key agreement protocols are supported. By default, elliptic curve "prime256v1" (also "secp256r1") will be used, if no other is given. To select special curves, it is possible to set them using the configuration options ssl.dh-file and ssl.ec-curve.
- SSL EC/DH configuration for lighttpd
# use group16 dh parameters ssl.dh-file = "/etc/lighttpd/ssl/dh4096.pem" ssl.ec-curve = "secp384r1"
Please read section A note on Diffie Hellman Key Exchanges for more information on Diffie Hellman key exchange and elliptic curves.
Additional settings
As for any other webserver, you might want to automatically redirect http:// traffic toward https://. It is also recommended to set the environment variable HTTPS, so the PHP applications run by the webserver can easily detect that HTTPS is in use.
- https auto-redirect configuration
$HTTP["scheme"] == "http" { # capture vhost name with regex condition -> %0 in redirect pattern # must be the most inner block to the redirect rule $HTTP["host"] =~ ".*" { url.redirect = (".*" => "https://%0$0") } # Set the environment variable properly setenv.add-environment = ( "HTTPS" => "on" ) }
Additional information
The config option honor-cipher-order is available since 1.4.30, the supported ciphers depend on the used OpenSSL-version (at runtime). ECDHE has to be available in OpenSSL at compile-time, which should be default. SSL compression should by deactivated by default at compile-time (if not, it’s active). Support for other SSL-libraries like GnuTLS will be available in the upcoming 2.x branch, which is currently under development.
References
- How to redirect HTTP requests to HTTPS
- Lighttpd Docs: Secure HTTP
- Release 1.4.30 (How to mitigate BEAST attack)
- Lightpd issue: SSL Compression disabled by default
How to test
See appendix Tools
nginx
Tested with Version
- 1.4.4 with OpenSSL 1.0.1e on OS X Server 10.8.5
- 1.2.1-2.2+wheezy2 with OpenSSL 1.0.1e on Debian Wheezy
- 1.4.4 with OpenSSL 1.0.1e on Debian Wheezy
- 1.2.1-2.2 bpo60+2 with OpenSSL 0.9.8o on Debian Squeeze (note that TLSv1.2 does not work in openssl 0.9.8 thus not all ciphers actually work)
- 1.4.6 with OpenSSL 1.0.1f on Ubuntu 14.04.2 LTS
Settings
- SSL settings for nginx
ssl on; ssl_certificate cert.pem; ssl_certificate_key cert.key; ssl_session_timeout 5m; ssl_prefer_server_ciphers on; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # not possible to do exclusive ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA'; add_header Strict-Transport-Security "max-age=15768000"; # six months # add_header Strict-Transport-Security "max-age=15768000; includeSubDomains";
Use this only if all subdomains support HTTPS! |
If you absolutely want to specify your own DH parameters, you can specify them via ssl_dhparam file. However, we advise you to read section A note on Diffie Hellman Key Exchanges and stay with the standard IKE/IETF parameters (as long as they are >1024 bits).
Additional settings
If you decide to trust NIST’s ECC curve recommendation, you can add the following line to nginx’s configuration file to select special curves:
- SSL EC/DH settings for nginx
ssl_ecdh_curve secp384r1;
You might want to redirect everything to https:// if possible. In Nginx you can do this with the following setting:
- https auto-redirect in nginx
return 301 https://$server_name$request_uri;
The variable $server_name refers to the first server_name entry in your config file. If you specify more than one server_name only the first will be taken. Please be sure to not use the $host variable here because it contains data controlled by the user.
References
How to test
See appendix Tools
Cherokee
Tested with Version
- Cherokee/1.2.104 on Debian Wheezy with OpenSSL 1.0.1e 11 Feb 2013
Settings
The configuration of the cherokee webserver is performed by an admin interface available via the web. It then writes the configuration to /etc/cherokee/cherokee.conf, the important lines of such a configuration file can be found at the end of this section.
- General Settings
- Network
- SSL/TLS back-end: OpenSSL/libssl
- Ports to listen
- Port: 443, TLS: TLS/SSL port
- Network
- Virtual Servers, For each vServer on tab Security:
- Required SSL/TLS Values: Fill in the correct paths for Certificate and Certificate key
- Advanced Options
- Ciphers:
EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA- Server Preference: Prefer
- Compression: Disabled
- Ciphers:
- Advanced: TLS
- SSL version 2 and SSL version 3: No
- TLS version 1, TLS version 1.1 and TLS version 1.2: Yes
Additional settings
For each vServer on the Security tab it is possible to set the Diffie Hellman length to up to 4096 bits. We recommend to use >1024 bits. More information about Diffie-Hellman and which curves are recommended can be found in section A note on Diffie Hellman Key Exchanges. In Advanced: TLS it is possible to set the path to a Diffie Hellman parameters file for 512, 1024, 2048 and 4096 bits. HSTS can be configured on host-basis in section vServers / Security / HTTP Strict Transport Security (HSTS):* Enable HSTS: Accept
- HSTS Max-Age: 15768000
- Include Subdomains: depends on your setup
To redirect HTTP to HTTPS, configure a new rule per Virtual Server in the Behavior tab. The rule is SSL/TLS combined with a NOT operator. As Handler define Redirection and use /(.*)$ as Regular Expression and +https://$\{host}/$1+ as Substitution.
- SSL configuration for cherokee
server!bind!2!port = 443 server!bind!2!tls = 1 server!tls = libssl vserver!1!hsts = 1 vserver!1!hsts!max_age = 15768000 vserver!1!hsts!subdomains = 1 vserver!1!rule!5!handler = redir vserver!1!rule!5!handler!rewrite!10!regex = /(.*)$ vserver!1!rule!5!handler!rewrite!10!show = 1 vserver!1!rule!5!handler!rewrite!10!substring = https://${host}/$1 vserver!1!rule!5!handler!type = just_about vserver!1!rule!5!match = not vserver!1!rule!5!match!right = tls vserver!1!ssl_certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem vserver!1!ssl_certificate_key_file = /etc/ssl/private/ssl-cert-snakeoil.key vserver!1!ssl_cipher_server_preference = 1 vserver!1!ssl_ciphers = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA vserver!1!ssl_compression = 0 vserver!1!ssl_dh_length = 2048
References
How to test
See appendix Tools
MS IIS
To configure SSL/TLS on Windows Server IIS Crypto can be used. Simply start the Programm, no installation required. The tool changes the registry keys described below. A restart is required for the changes to take effect. "IIS Crypto Tool" Instead of using the IIS Crypto Tool the configuration can be set using the Windows Registry. The following Registry keys apply to the newer Versions of Windows (Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012 and Windows Server 2012 R2). For detailed information about the older versions see the Microsoft knowledgebase article How to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Ciphers] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\CipherSuites] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Hashes] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\KeyExchangeAlgorithms] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols]
Tested with Version
- Windows Server 2008
- Windows Server 2008 R2
- Windows Server 2012
- Windows Server 2012 R2
- Windows Vista and Internet Explorer 7 and upwards
- Windows 7 and Internet Explorer 8 and upwards
- Windows 8 and Internet Explorer 10 and upwards
- Windows 8.1 and Internet Explorer 11
Settings
When trying to avoid RC4 (RC4 biases) as well as CBC (BEAST-Attack) by using GCM and to support perfect forward secrecy, Microsoft SChannel (SSL/TLS, Auth,.. Stack) supports ECDSA but lacks support for RSA signatures (see ECC suite B doubts). Since one is stuck with ECDSA, an elliptic curve certificate needs to be used. The configuration of cipher suites MS IIS will use, can be configured in one of the following ways:# Group Policy: Prioritizing Schannel Cipher Suites
- Registry: How to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll
- IIS Crypto
- Powershell
Table Client support shows the process of turning on one algorithm after another and the effect on the supported clients tested using https://www.ssllabs.com. SSL 3.0, SSL 2.0 and MD5 are turned off. TLS 1.0 and TLS 1.2 are turned on. Table 1. Client support
Cipher Suite | Client |
---|---|
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256+ | only IE 10,11, OpenSSL 1.0.1e |
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256+ | Chrome 30, Opera 17, Safari 6+ |
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA+ | FF 10-24, IE 8+, Safari 5, Java 7 |
Table Client support shows the algorithms from strongest to weakest and why they need to be added in this order. For example insisting on SHA-2 algorithms (only first two lines) would eliminate all versions of Firefox, so the last line is needed to support this browser, but should be placed at the bottom, so capable browsers will choose the stronger SHA-2 algorithms. TLS_RSA_WITH_RC4_128_SHA or equivalent should also be added if MS Terminal Server Connection is used (make sure to use this only in a trusted environment). This suite will not be used for SSL, since we do not use a RSA Key.
Clients not supported:
- Java 6
- WinXP
- Bing
Additional settings
It’s recommended to use ´Strict-Transport-Security: max-age=15768000` for detailed information visit the Microsoft knowledgebase article in custom Headers. You might want to redirect everything to https:// if possible. In IIS you can do this with the following setting by Powershell: Set-WebConfiguration -Location "$WebSiteName/$WebApplicationName" `
-Filter 'system.webserver/security/access' ` -Value "SslRequireCert"
Justification for special settings (if needed)
References
- How to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll
- How to disable PCT 1.0, SSL 2.0, SSL 3.0, or TLS 1.0 in Internet Information Services
How to test
See appendix Tools
Mailserver
Mailserver
This section documents the most common mail servers. Mail servers may usually be grouped into three categories:
- Mail Submission Agent (MSA)
- Mail Transfer Agent (MTA) / Mail Exchanger (MX)
- Mail Delivery Agent (MDA)
An email client (mail user agent, MUA) submits mail to the MSA. This is usually been done using the Simple Mail Transfer Protocol (SMTP). Afterwards, the mail is transmitted by the MTA over the Internet to the MTA of the receiver. This happens again via SMTP. Finally, the mail client of the receiver will fetch mail from an MDA usually via the Internet Message Access Protocol (IMAP) or the Post Office Protocol (POP). As MSAs and MTAs both use SMTP as transfer protocols, both functionalities may often be implemented with the same software. On the other hand, MDA software might or might not implement both IMAP and POP.
TLS usage in mail server protocols
Email protocols support TLS in two different ways. It may be added as a protocol wrapper on a different port. This method is referred to as Implicit TLS or as protocol variants SMTPS, IMAPS and POP3S. The other method is to establish a cleartext session first and switch to TLS afterwards by issuing the STARTTLS command. SMTP between MTAs usually makes use of opportunistic TLS. This means that an MTA will accept TLS connections when asked for it but will not require it. MTAs should always try opportunistic TLS handshakes outgoing and always accept incoming opportunistic TLS.
Recommended configuration
We recommend to use the following settings for Mail Transfer Agents:* correctly setup MX, A and PTR RRs without using CNAMEs at all
- the hostname used as HELO/EHLO in outgoing mail shall match the PTR RR
- enable opportunistic TLS, using the STARTTLS mechanism on port 25
- Implicit TLS on port 465 may be offered additionally
- use server and client certificates (most server certificates are client certificates as well)
- either the common name or at least an alternate subject name of the certificate shall match the PTR RR (client mode) or the MX RR (server mode)
- do not use self signed certificates
- accept all cipher suites, as the alternative would be to fall back to cleartext transmission
- an execption to the last sentence is that MTAs MUST NOT enable SSLv2 protocol support, due to the DROWN attack.
For MSA operation we recommend:* listen on submission port 587 with mandatory STARTTLS
- optionally listen on port 465 with Implicit TLS
- enforce SMTP AUTH even for local networks
- ensure that SMTP AUTH is not allowed on unencrypted connections
- only use the recommended cipher suites if all connecting MUAs support them
For MDA operation we recommend:* listen on the protocol port (143 for IMAP, 110 for POP3) with mandatory STARTTLS
- optionally listen on Implicit TLS ports (993 for IMAPS, 995 for POP3S)
- enforce authentication even for local networks
- make sure that authentication is not allowed on unencrypted connections
- use the recommended cipher suites if all connecting MUAs support them
- turn off SSLv2 (see: DROWN attack)
Dovecot
Tested with Versions
Table 4. Tested Dovecot Versions
Program Version | OS/Distribution/Version | Comment |
---|---|---|
2.1.7 | Debian Wheezy | without ssl_prefer_server_ciphers |
2.2.9 | Debian Jessie | |
2.2.13 | Debian 8.2 Jessie | |
2.0.19apple1 | OS X Server 10.8.5 | without ssl_prefer_server_ciphers |
2.2.9 | Ubuntu 14.04 Trusty | |
2.2.31 | Ubuntu 16.04.3 LTS |
Settings
- Dovecot SSL Configuration
# SSL protocols to use, disable SSL, use TLS only ssl_protocols = !SSLv3 !SSLv2 # SSL ciphers to use ssl_cipher_list = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA # Prefer the server's order of ciphers over client's. (Dovecot >=2.2.6 Required) ssl_prefer_server_ciphers = yes # Diffie-Hellman parameters length (Default is 1024, Dovecot >=2.2.7 Required) # ToDo: for ReGenerating DH-Parameters: # manually delete /var/lib/dovecot/ssl-parameters.dat and restart # Dovecot to regenerate /var/lib/dovecot/ssl-parameters.dat ssl_dh_parameters_length = 2048 # Disable Compression (Dovecot >= 2.2.14 Required) # ssl_options = no_compression
Dovecot 2.0, 2.1: Almost as good as dovecot 2.2. Dovecot does not ignore unknown configuration parameters. Does not support ssl_prefer_server_ciphers. |
Limitations
Dovecot <2.2.14 does not support disabling TLS compression.
- In >2.2.14 [6] use: ssl_options = no_compression
Dovecot <2.2.7 uses fixed DH parameters.
- In >2.2.7 [7] greater DH-Parameters are supported: ssl_dh_parameters_length = 2048.
References
How to test
$ openssl s_client -crlf -connect example.com:993 $ openssl s_client -crlf -connect example.com:995 $ openssl s_client -crlf -starttls imap -connect example.com:143 $ openssl s_client -crlf -starttls pop3 -connect example.com:110
SSLyze offers scanning for common vulnerabilities and displays Protocols and Cipher-Suites.
$ sslyze.exe --regular example.com:993 $ sslyze.exe --regular example.com:995 $ sslyze.exe --regular --starttls=imap example.com:143 $ sslyze.exe --regular --starttls=pop3 example.com:110
Postfix
Tested with Versions
Tested Postfix Versions
Program Version | OS/Distribution/Version | Comment |
---|---|---|
2.9.6 | Debian Wheezy | with OpenSSL 1.0.1e |
2.11.0 | Ubuntu 14.04.02 | with OpenSSL 1.0.1f |
3.1.0 | Ubuntu 16.04.3 LTS |
Settings
Postfix has five internal lists of ciphers, and the possibility to switch between those with smtpd_tls_ciphers. However, we leave this at its default value for server to server connections, as many mail servers only support outdated protocols and ciphers. We consider bad encryption still better than plain text transmission. For connections to MUAs, TLS is mandatory and the ciphersuite is modified.
MX and SMTP client configuration:
As discussed in section [smtp_general], because of opportunistic encryption we do not restrict the list of ciphers or protocols for communication with other mail servers to avoid transmission in plain text. There are still some steps needed to enable TLS, all in main.cf:
- Opportunistic TLS in Postfix
# TLS parameters smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key # log TLS connection info smtpd_tls_loglevel = 1 smtp_tls_loglevel = 1 # enable opportunistic TLS support in the SMTP server and client smtpd_tls_security_level = may smtp_tls_security_level = may # if you have authentication enabled, only offer it after STARTTLS smtpd_tls_auth_only = yes tls_ssl_options = NO_COMPRESSION
MSA
For the MSA smtpd process which communicates with mail clients, we first define the ciphers that are acceptable for the “mandatory” security level, again in main.cf:
- MSA TLS configuration in Postfix
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3 smtp_tls_protocols = !SSLv2, !SSLv3 lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3 lmtp_tls_protocols = !SSLv2, !SSLv3 smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 smtpd_tls_protocols = !SSLv2, !SSLv3 smtpd_tls_mandatory_ciphers=high tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA
Then, we configure the MSA smtpd in master.cf with two additional options that are only used for this instance of smtpd:
- MSA smtpd service configuration in Postfix
# ========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (no) (never) (100) # ========================================================================== # ... submission inet n - - - - smtpd -o smtpd_tls_security_level=encrypt -o tls_preempt_cipherlist=yes # ...
For those users who want to use EECDH key exchange, it is possible to customize this via: The default value since Postfix 2.8 is “strong”.
- EECDH customization in Postfix
smtpd_tls_eecdh_grade = ultra
Limitations
tls_ssl_options is supported from Postfix 2.11 onwards.
- You can leave the statement in the configuration for older versions, it will be ignored.
tls_preempt_cipherlist is supported from Postfix 2.8 onwards.
- Again, you can leave the statement in for older versions.
References
- Refer to https://www.postfix.org/TLS_README.html for an in-depth discussion.
Additional settings
Postfix has two sets of built-in DH parameters that can be overridden with the smtpd_tls_dh512_param_file and smtpd_tls_dh1024_param_file options. The “dh512” parameters are used for export ciphers, while the “dh1024” ones are used for all other ciphers. The “bit length” in those parameter names is just a name, so one could use stronger parameter sets; it should be possible to e.g. use the IKE Group14 parameters (see section [DH] without much interoperability risk, but we have not tested this yet.
How to test
You can check the effect of the settings with the following command:
$ zegrep "TLS connection established from.*with cipher" /var/log/mail.log | awk '{printf("%s %s %s %s\n", $12, $13, $14, $15)}' | sort | uniq -c | sort -n 1 SSLv3 with cipher DHE-RSA-AES256-SHA 23 TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 60 TLSv1 with cipher ECDHE-RSA-AES256-SHA 270 TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 335 TLSv1 with cipher DHE-RSA-AES256-SHA $ openssl s_client -starttls smtp -crlf -connect example.com:25
Proxy
Proxy Solutions
Within enterprise networks and corporations with increased levels of paranoia or at least some defined security requirements it is common not to allow direct connections to the public internet. For this reason proxy solutions are deployed on corporate networks to intercept and scan the traffic for potential threats within sessions. For encrypted traffic there are four options:* Block the connection because it cannot be scanned for threats.
- Bypass the threat-mitigation and pass the encrypted session to the client, which results in a situation where malicious content is transferred directly to the client without visibility to the security system.
- Intercept (i.e. terminate) the session at the proxy, scan there and re-encrypt the session towards the client (effectively MITM).
- Deploy special Certificate Authorities to enable Deep Packet Inspection on the wire.
While the latest solution might be the most "up to date", it arises a new front in the context of this paper, because the most secure part of a client’s connection could only be within the corporate network, if the proxy-server handles the connection to the destination server in an insecure manner. Conclusion: Don’t forget to check your proxy solutions SSL-capabilities. Also do so for your reverse proxies!
Bluecoat / Symantec
Blue Coat Systems was a well-known manufacturer of enterprise proxy appliances. In 2016 it was acquired by Symantec. The products are now known as Symantec ProxySG and Advanced Secure Gateway (ASG). The description below is for the original Blue Coat SG Operating System (SGOS). BlueCoat Proxy SG Appliances can be used as forward and reverse proxies. The reverse proxy feature is rather under-developed, and while it is possible and supported, there only seems to be limited use of this feature "in the wild" - nonetheless there are a few cipher suites to choose from, when enabling SSL features.
Tested with Versions
Proxy Appliance | SGOS 6.5.x | Blue Coat, now Symantec |
---|
Only allow TLS 1.0,1.1 and 1.2 protocols
$conf t $(config)ssl $(config ssl)edit ssl-device-profile default $(config device-profile default)protocol tlsv1 tlsv1.1 tlsv1.2 ok
Select your accepted cipher-suites
$conf t Enter configuration commands, one per line. End with CTRL-Z. $(config)proxy-services $(config proxy-services)edit ReverseProxyHighCipher $(config ReverseProxyHighCipher)attribute cipher-suite Cipher# Use Description Strength ------- --- ----------------------- -------- 1 yes AES128-SHA256 High 2 yes AES256-SHA256 High 3 yes AES128-SHA Medium 4 yes AES256-SHA High 5 yes DHE-RSA-AES128-SHA High 6 yes DHE-RSA-AES256-SHA High [...] 13 yes EXP-RC2-CBC-MD5 Export Select cipher numbers to use, separated by commas: 2,5,6 ok
The same protocols are available for forward proxy settings and should be adjusted accordingly: In your local policy file add the following section:
<ssl>
DENY server.connection.negotiated_ssl_version=(SSLV2, SSLV3)
Disabling protocols and ciphers in a forward proxy environment could lead to unexpected results on certain (misconfigured?) webservers (i.e. ones accepting only SSLv2/3 protocol connections)
HAProxy
See https://www.haproxy.org/ See https://timtaubert.de/blog/2014/11/the-sad-state-of-server-side-tls-session-resumption-implementations/ See https://cbonte.github.io/haproxy-dconv/configuration-1.5.html#5.1-npn See https://cbonte.github.io/haproxy-dconv/configuration-1.5.html#3.2-tune.ssl.cachesize See https://kura.io/2014/07/02/haproxy-ocsp-stapling/ See https://kura.io/2015/01/27/hpkp-http-public-key-pinning-with-haproxy/ HAProxy can be used as loadbalancer and proxy for TCP and HTTP-based applications. Since version 1.5 it supports SSL and IPv6.
Tested with Versions
HAProxy 1.5.11 with OpenSSL 1.0.1e on Debian Wheezy
Settings
- global configuration
global
ssl-default-bind-ciphers EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA ssl-default-bind-options no-sslv3 no-tls-tickets #disable SSLv3 tune.ssl.default-dh-param 2048 #tune DH to 2048
- frontend configuration
frontend public
bind *:80 bind *:443 ssl crt server.pem mode http redirect scheme https code 301 if !{ ssl_fc } # redirect HTTP to HTTPS
- backend configuration
backend backend
mode http server server 192.168.1.1:80 check http-request set-header X-Forwarded-Port %[dst_port] http-request add-header X-Forwarded-Proto https if { ssl_fc } rspadd Strict-Transport-Security:\ max-age=15768000;\ includeSubDomains #enable HSTS header for this backend
Additional Settings
Enable NPN Support:
bind *:443 ssl crt server.pem npn "http/1.1,http/1.0"
Append the npn command in the frontend configuration of HAProxy.
Enable OCSP stapling:
HAProxy supports since version 1.5.0 OCSP stapling. To enable it you have to generate the OCSP singing file in the same folder, with the same name as your certificate file plus the extension .ocsp. (e.g. your certificate file is named server.crt then the OCSP file have to be named server.crt.oscp)To generate the OCSP file use these commands: $ openssl x509 -in your.certificate.crt -noout -ocsp_uri # <- get your ocsp uri $ openssl ocsp -noverify -issuer ca.root.cert.crt -cert your.certificate.crt -url "YOUR OCSP URI" -respout your.certificate.crt.ocsp Reload HAProxy and now OCSP stapling should be enabled.Note: This OCSP signature file is only valid for a limited time. The simplest way of updating this file is by using cron.daily or something similar.
Enable HPKP:
Get certificate informations: $ openssl x509 -in server.crt -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | base64 Then you append the returned string in the HAProxy configuration. Add the following line to the backend configuration: rspadd Public-Key-Pins:\ pin-sha256="YOUR_KEY";\ max-age=15768000;\ includeSubDomains Reload HAProxy and HPKP should now be enabled.Note: Keep in mind to generate a backup key in case of problems with your primary key file.
How to test
See appendix Tools
Pound
Tested with Versions
Pound 2.6 See http://www.apsis.ch/pound See https://help.ubuntu.com/community/Pound
Settings
- HTTPS Listener in Pound
# HTTP Listener, redirects to HTTPS ListenHTTP Address 10.10.0.10 Port 80 Service Redirect "https://some.site.tld" End End ## HTTPS Listener ListenHTTPS Address 10.10.0.10 Port 443 AddHeader "Front-End-Https: on" Cert "/path/to/your/cert.pem" ## See 'man ciphers'. Ciphers "TLSv1.2:TLSv1.1:!SSLv3:!SSLv2:EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA" Service BackEnd Address 10.20.0.10 Port 80 End End End
stunnel
Tested with Versions
- stunnel 4.53-1.1ubuntu1 on Ubuntu 14.04 Trusty with OpenSSL 1.0.1f, without disabling Secure Client-Initiated Renegotiation
- stunnel 5.02-1 on Ubuntu 14.04 Trusty with OpenSSL 1.0.1f
- stunnel 4.53-1.1 on Debian Wheezy with OpenSSL 1.0.1e, without disabling Secure Client-Initiated Renegotiation
Settings
- HTTPS Listener in stunnel
ciphers = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA curve = secp384r1 options = NO_SSLv2 options = NO_SSLv3 options = cipher_server_preference ; Secure Client-Initiated Renegotiation can only be disabled wit stunnel >= 4.54 ;renegotiation = no
Additional information
Secure Client-Initiated Renegotiation can only be disabled for stunnel versions >= 4.54, when the renegotiation parameter has been added (See changelog).
References
stunnel documentation: https://www.stunnel.org/static/stunnel.html stunnel changelog: https://www.stunnel.org/sdf_ChangeLog.html
How to test
See appendix Tools
VPN
Virtual Private Networks
Virtual Private Networks (VPN) provide means of connecting private networks over external / public transport networks. Since we do not control the transport networks we have to to take care about data integrity and privacy.
Some providers also offer VPNs for connecting company networks via MPLS or simular technologies. The provider promises you that nobody else has access to your data trnfserred over their lines. You have to decide if this promise does fit to your information security requirements. |
Basically there are two ways to ensure the privacy and integrity of the data sent via external lines. First you could utilize the built-in security of the Internet Protocol (IPsec). The other way are specific applications that encrypt the data before sending it over the line. IPsec is an Internet standard (TODO RFC 6071). This guarantees the interoperability between implementations of different vendors. You can establish a secure connection with your customer or your supplier. On the other hand VPN applications mostly utilize TLS to secury the communication between the partners. TODO: Descision criteria IPsec vs. VPN application.
IPsec
IPsec is the Internet standard to encrypt the transport of data between private networks.
Technology
We describe only the use the Internet Key Exchange (IKE) version 2 in this dodument. IKEv1 has some usage and security problems and should not be used any more. (TODO: reference).
Authentication
IPsec authentication should optimally be performed via RSA signatures, with a key size of 2048 bits or more. Configuring only the trusted CA that issued the peer certificate provides for additional protection against fake certificates. If you need to use Pre-Shared Key (PSK) authentication:* Choose a random, long enough PSK (see below)
- Use a separate PSK for any IPsec connection
- Change the PSKs regularly
- Think aboute a secure way to exchange the PSK. Sending an SMS it not secure.
The size of the PSK should not be shorter than the output size of the hash algorithm used in IKE.footnote[It is used in a HMAC, see RFC2104 and the discussion starting in TODO: verify http://www.vpnc.org/ietf-ipsec/02.ipsec/msg00268.html.]. For a key composed only of upper- and lowercase letters, numbers, and two additional characters[9], table #tab:IPSEC_psk_len gives the minimum lengths in characters.
Cryptographic Suites
IPSEC Cryptographic Suites are pre-defined settings for all the items of a configuration; they try to provide a balanced security level and make setting up VPNs easier. [10] When using any of those suites, make sure to enable “Perfect Forward Secrecy“ for Phase 2, as this is not specified in the suites. The equivalents to the recommended ciphers suites in section Recommended cipher suites are shown in table #tab:IPSEC_suites.
Phase 1
TODO: Phase 1 and 2 are phrases from IKEv1. Re-write for IKEv2. Alternatively to the pre-defined cipher suites, you can define your own, as described in this and the next section. Phase 1 is the mutual authentication and key exchange phase; table #tab:IPSEC_ph1_params shows the parameters. Use only “main mode“, as “aggressive mode“ has known security vulnerabilities [11].
Phase 2
Phase 2 is where the parameters that protect the actual data are negotiated; recommended parameters are shown in table #tab:IPSEC_ph2_params.
References
- Fergusen, N. and Schneier, B.: A Cryptographic Evaluation of IPsec: https://www.schneier.com/paper-ipsec.pdf
Check Point Next Generation Firewall
Tested with Versions
Table 9. Tested CheckPoint Versions
Program Version | OS/Distribution/Version | Comment |
---|---|---|
R77 | Secure Platform |
Settings
Please see section IPsec for guidance on parameter choice. In this section, we will configure a strong setup according to Configuration A. This is based on the concept of a VPN Community, which has all the settings for the gateways that are included in that community. Communities can be found in the IPSEC VPN tab of SmartDashboard. "VPN Community encryption properties" [fig:checkpoint_1] Either choose one of the encryption suites in the properties dialog (figure [checkpoint_1], or proceed to Custom Encryption..., where you can set encryption and hash for Phase 1 and 2 (figure [checkpoint_2]. "Custom Encryption Suite Properties" [checkpoint_2] The Diffie-Hellman groups and Perfect Forward Secrecy Settings can be found under Advanced Settings / Advanced VPN Properties (figure [checkpoint_3]. "Advanced VPN Properties" [checkpoint_3]
Additional settings
For remote Dynamic IP Gateways, the settings are not taken from the community, but set in the Global Properties dialog under Remote Access / VPN Authentication and Encryption. Via the Edit... button, you can configure sets of algorithms that all gateways support (figure [checkpoint_4]). "Remote Access Encryption Properties" [checkpoint_4] Please note that these settings restrict the available algorithms for all gateways, and also influence the VPN client connections.
References
- Check Point VPN R77 Administration Guide (may require a UserCenter account to access)
TLS Based Applications
OpenVPN
Tested with Versions
Table 10. Tested OpenVPN Versions
Program Version | OS/Distribution/Version | Comment |
---|---|---|
2.3.10 | Ubuntu Xenial 16.04.1 LTS | linked against openssl (libssl.so.1.0.0) |
2.3.2 | Debian Wheezy (backports) | linked against openssl (libssl.so.1.0.0) |
2.2.1 | Debian Wheezy | linked against openssl (libssl.so.1.0.0) |
2.3.2 | Windows |
Settings
General
We describe a configuration with certificate-based authentication; see below for details on the easyrsa tool to help you with that. OpenVPN uses TLS only for authentication and key exchange. The bulk traffic is then encrypted and authenticated with the OpenVPN protocol using those keys. Note that while the tls-cipher option takes a list of ciphers that is then negotiated as usual with TLS, the cipher and auth options both take a single argument that must match on client and server. OpenVPN duplexes the tunnel into a data and a control channel. The control channel is a usual TLS connection, the data channel currently uses encrypt-then-mac CBC, see https://github.com/BetterCrypto/Applied-Crypto-Hardening/pull/91#issuecomment-75365286
Server Configuration
Client Configuration
Client and server have to use compatible configurations, otherwise they can’t communicate. The cipher and auth directives have to be identical.
Justification for special settings
OpenVPN 2.3.1 changed the values that the tls-cipher option expects from OpenSSL to IANA cipher names. That means from that version on you will get Deprecated TLS cipher name warnings for the configurations above. You cannot use the selection strings from section Recommended cipher suites directly from 2.3.1 on, which is why we give an explicit cipher list here. In addition, there is a 256 character limit on configuration file line lengths; that limits the size of cipher suites, so we dropped all ECDHE suites. The configuration shown above is compatible with all tested versions.
References
- OpenVPN Documentation: Security Overview https://openvpn.net/index.php/open-source/documentation/security-overview.html
Additional settings
Key renegotiation interval
The default for renegotiation of encryption keys is one hour (reneg-sec 3600). If you transfer huge amounts of data over your tunnel, you might consider configuring a shorter interval, or switch to a byte- or packet-based interval (reneg-bytes or reneg-pkts).
Insecure ciphers
Sweet32[12] is an attack on 64-bit block ciphers, such as 3DES and Blowfish in OpenVPN. The following ciphers are affected, and should no longer be used:* BF-*
- DES* (including 3DES variants)
- RC2-*
The following ciphers are not affected:* AES-*
- CAMELLIA-*
- SEED-*
According to mitigation section on Sweet32 website[13] users users should change the cipher from the DES or Blowfish to AES (cipher AES-128-CBC). If cipher change is not possible users can mitigate the attack by forcing frequent rekeying (reneg-bytes 64000000).
Fixing “easy-rsa”
When installing an OpenVPN server instance, you are probably using easy-rsa to generate keys and certificates. The file vars in the easyrsa installation directory has a number of settings that should be changed to secure values: This will enhance the security of the key generation by using RSA keys with a length of 4096 bits, and set a lifetime of one year for the server/client certificates and five years for the CA certificate.
4096 bits is only an example of how to do this with easy-rsa. See also section Keylengths for a discussion on keylengths. |
In addition, edit the pkitool script and replace all occurrences of sha1 with sha256, to sign the certificates with SHA256.
Limitations
Note that the ciphersuites shown by openvpn --show-tls are known, but not necessarily supported [14]. Which cipher suite is actually used can be seen in the logs: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-CAMELLIA256-SHA, 2048 bit RSA
PPTP
PPTP is considered insecure, Microsoft recommends to _use a more secure VPN tunnel_[15]. There is a cloud service that cracks the underlying MS-CHAPv2 authentication protocol for the price of USD 200[16], and given the resulting MD4 hash, all PPTP traffic for a user can be decrypted.
Cisco ASA
The following settings reflect our recommendations as best as possible on the Cisco ASA platform. These are - of course - just settings regarding SSL/TLS (i.e. Cisco AnyConnect) and IPsec. For further security settings regarding this platform the appropriate Cisco guides should be followed.
Tested with Versions
Table 11. Tested Cisco ASA Versions
Program Version | OS/Distribution/Version | Comment |
---|---|---|
9.1(3) | X-series model |
Settings
crypto ipsec ikev2 ipsec-proposal AES-Fallback
protocol esp encryption aes-256 aes-192 aes protocol esp integrity sha-512 sha-384 sha-256
crypto ipsec ikev2 ipsec-proposal AES-GCM-Fallback
protocol esp encryption aes-gcm-256 aes-gcm-192 aes-gcm protocol esp integrity sha-512 sha-384 sha-256
crypto ipsec ikev2 ipsec-proposal AES128-GCM
protocol esp encryption aes-gcm protocol esp integrity sha-512
crypto ipsec ikev2 ipsec-proposal AES192-GCM
protocol esp encryption aes-gcm-192 protocol esp integrity sha-512
crypto ipsec ikev2 ipsec-proposal AES256-GCM
protocol esp encryption aes-gcm-256 protocol esp integrity sha-512
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256 protocol esp integrity sha-1 md5
crypto ipsec ikev2 sa-strength-enforcement crypto ipsec security-association pmtu-aging infinite crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group14 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256-GCM AES192-GCM AES128-GCM AES-GCM-Fallback AES-Fallback crypto map Outside-DMZ_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map Outside-DMZ_map interface Outside-DMZ crypto ikev2 policy 1
encryption aes-gcm-256 integrity null group 14 prf sha512 sha384 sha256 sha lifetime seconds 86400
crypto ikev2 policy 2
encryption aes-gcm-256 aes-gcm-192 aes-gcm integrity null group 14 prf sha512 sha384 sha256 sha lifetime seconds 86400
crypto ikev2 policy 3
encryption aes-256 aes-192 aes integrity sha512 sha384 sha256 group 14 prf sha512 sha384 sha256 sha lifetime seconds 86400
crypto ikev2 policy 4
encryption aes-256 aes-192 aes integrity sha512 sha384 sha256 sha group 14 prf sha512 sha384 sha256 sha lifetime seconds 86400
crypto ikev2 enable Outside-DMZ client-services port 443 crypto ikev2 remote-access trustpoint ASDM_TrustPoint0 ssl server-version tlsv1-only ssl client-version tlsv1-only ssl encryption dhe-aes256-sha1 dhe-aes128-sha1 aes256-sha1 aes128-sha1 ssl trust-point ASDM_TrustPoint0 Outside-DMZ
Justification for special settings
New IPsec policies have been defined which do not make use of ciphers that may be cause for concern. Policies have a "Fallback" option to support legacy devices. 3DES has been completely disabled as such Windows XP AnyConnect Clients will no longer be able to connect. The Cisco ASA platform does not currently support RSA Keys above 2048bits. Legacy ASA models (e.g. 5505, 5510, 5520, 5540, 5550) do not offer the possibility to configure for SHA256/SHA384/SHA512 nor AES-GCM for IKEv2 proposals.
References
- http://www.cisco.com/en/US/docs/security/asa/roadmap/asaroadmap.html
- http://www.cisco.com/web/about/security/intelligence/nextgen_crypto.html
Openswan
Tested with Version
Table 12. Tested OpenS/WAN Versions
Program Version | OS/Distribution/Version | Comment |
---|---|---|
2.6.39 | Gentoo |
Settings
The available algorithms depend on your kernel configuration (when using protostack=netkey) and/or build-time options. |
To list the supported algorithms $ ipsec auto --status | less and look for ’algorithm ESP/IKE’ at the beginning. aggrmode=no
# ike format: cipher-hash;dhgroup # recommended ciphers: # - aes # recommended hashes: # - sha2_256 with at least 43 byte PSK # - sha2_512 with at least 86 byte PSK # recommended dhgroups: # - modp2048 = DH14 # - modp3072 = DH15 # - modp4096 = DH16 # - modp6144 = DH17 # - modp8192 = DH18
ike=aes-sha2_256;modp2048 type=tunnel phase2=esp
# esp format: cipher-hash;dhgroup # recommended ciphers configuration A: # - aes_gcm_c-256 = AES_GCM_16 # - aes_ctr-256 # - aes_ccm_c-256 = AES_CCM_16 # - aes-256 # additional ciphers configuration B: # - camellia-256 # - aes-128 # - camellia-128 # recommended hashes configuration A: # - sha2-256 # - sha2-384 # - sha2-512 # - null (only with GCM/CCM ciphers) # additional hashes configuration B: # - sha1 # recommended dhgroups: same as above
phase2alg=aes_gcm_c-256-sha2_256;modp2048 salifetime=8h pfs=yes auto=ignore
How to test
Start the vpn and using $ ipsec auto --status | less and look for ’IKE algorithms wanted/found’ and ’ESP algorithms wanted/loaded’.
References
tinc
Tested with Versions
Table 13. Tested tinc Versions
Program Version | OS/Distribution/Version | Comment |
---|---|---|
1.0.23 | Gentoo | linked against OpenSSL 1.0.1e |
1.0.23 | Sabayon | linked against OpenSSL 1.0.1e |
Defaults
tinc uses 2048 bit RSA keys, Blowfish-CBC, and SHA1 as default settings and suggests the usage of CBC mode ciphers. Any key length up to 8192 is supported and it does not need to be a power of two. OpenSSL Ciphers and Digests are supported by tinc.
Settings
Generate keys with $ tincd -n NETNAME -K8192 Old keys will not be deleted (but disabled), you have to delete them manually. Add the following lines to your tinc.conf on all machines
References
- tincd(8) man page
- tinc.conf(5) man page
- tinc mailinglist http://www.tinc-vpn.org/pipermail/tinc/2014-January/003538.html
Datenbank
MySQL
Tested with Versions
- MySQL 5.5 on Debian Wheezy
- MySQL 5.7.20 on Ubuntu 16.04.3
Settings
References
MySQL Documentation on Configuring MySQL to Use Encrypted Connections.
How to test
After restarting the server run the following query to see if the ssl settings are correct: show variables like '%ssl%';
PostgreSQL
Tested with Versions
- Debian Wheezy and PostgreSQL 9.1
- Linux Mint 14 nadia / Ubuntu 12.10 quantal with PostgreSQL 9.1+136 and OpenSSL 1.0.1c
Settings
- To start in SSL mode the server.crt and server.key must exist in the servers data directory $PGDATA.
- Starting with version 9.2, you have the possibility to set the path manually
References
It’s recommended to read Security and Authentication in the manual.
- PostgreSQL Documentation on Secure TCP/IP Connections with SSL.
- PostgreSQL Documentation on Client Authentication.
How to test
To test your ssl settings, run psql with the sslmode parameter:
$ psql "sslmode=require host=postgres-server dbname=database" your-username