8

Disclaimer: I'm not a sysadmin, please try to give your answers in developer friendly language ;)

I'm test scanning a fresh VPS image with Nessus and I'm getting plugin 58751. I tried figuring out what to do and tried with different SSLCipherSuite settings in the Apache ssl.conf but I keep getting it.

The image doesn't include openssl 1.0.1 yet, so it doesn't support TLS 1.2.

What are the recommended working settings? Or what am I doing wrong?

Please suggest possible values for that specific mod_ssl configuration parameter, like:

SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

Which is not a good one, I understand.

markus-tharkun
  • 253
  • 1
  • 3
  • 9
  • 1
    A note for everyone else coming to this question: While I can answer it by pointing entirely to past answers, I don't consider this to be a duplicate question. Namely, it is a question about a specific error code that is in a popular tool. It will likely be searched by many and this question can prove very helpful as a resource for those understanding the vulnerability message. – Jeff Ferland May 25 '12 at 15:04

2 Answers2

11

What does this nonsense all mean? What can I do about TLS 1.0 javascript injection vulnerability on my server?

What should I change to? Should I ignore the BEAST SSL exploit and continue to prefer AES?

An in-depth look at different cipher selections and their impact: What ciphers should I use in my web server after I configure my SSL certificate?

The cipher string

Let's take that information and inspect the default Apache cipher string as it stands while I write this:

SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP

That basically allows any cipher that authenticates. Anonymous Diffie-Hellman exchanges (ADH) are excluded from consideration (!), but everything else is just piled on there. In fact, given the ALL right at the start, only !ADH is having an effect. Everything is already included. Export ciphers, low quality ciphers (40/56 bit, etc) are all fair game for negotiating.

If we want to be very simple, RC4 (symmetric), RSA (asymmetric exchange and signing), and SHA1 (symmetric hash) are universally supported. RC4 has some academic weaknesses, but it's immune to the BEAST attack and it's also what my browser negotiates to talk to Google.

SSLCipherSuite 'ECDHE-RSA-RC4-SHA:RC4+SHA1+RSA'

Verify:

 $ openssl ciphers -v 'ECDHE-RSA-RC4-SHA:RC4+SHA1+RSA'
 ECDHE-RSA-RC4-SHA       SSLv3 Kx=ECDH     Au=RSA  Enc=RC4(128)  Mac=SHA1
 RC4-SHA                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=SHA1

That takes care of set it and forget it. I put ECDHE-RSA-RC4-SHA in front because I'm a fan of using perfect forward secrecy, but it's not universally supported.

For future reference, though, here are some other things to look at if you're building a string that specifies ciphers generically:

  • No weak "export" ciphers: !EXP
  • No unauthenticated Diffie-Hellman exchanges: !ADH
  • We're not using a pre-shared key, so !PSK

Add on the ciphers that interest you afterward that. Use further exclusions if you need to limit something. Select specific combinations using the + sign instead of the colon. For example:

$ openssl ciphers -v '!ADH:AES+DH'
DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-DSS-AES256-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA1
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-DSS-AES128-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA1

is every different from:

$ openssl ciphers -v '!ADH:AES:DH'
ECDHE-RSA-AES256-SHA    SSLv3 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
ECDHE-ECDSA-AES256-SHA  SSLv3 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1
DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-DSS-AES256-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA1
AECDH-AES256-SHA        SSLv3 Kx=ECDH     Au=None Enc=AES(256)  Mac=SHA1
ECDH-RSA-AES256-SHA     SSLv3 Kx=ECDH/RSA Au=ECDH Enc=AES(256)  Mac=SHA1
ECDH-ECDSA-AES256-SHA   SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256)  Mac=SHA1
AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
PSK-AES256-CBC-SHA      SSLv3 Kx=PSK      Au=PSK  Enc=AES(256)  Mac=SHA1
ECDHE-RSA-AES128-SHA    SSLv3 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA1
ECDHE-ECDSA-AES128-SHA  SSLv3 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA1
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-DSS-AES128-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA1
AECDH-AES128-SHA        SSLv3 Kx=ECDH     Au=None Enc=AES(128)  Mac=SHA1
ECDH-RSA-AES128-SHA     SSLv3 Kx=ECDH/RSA Au=ECDH Enc=AES(128)  Mac=SHA1
ECDH-ECDSA-AES128-SHA   SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128)  Mac=SHA1
AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
PSK-AES128-CBC-SHA      SSLv3 Kx=PSK      Au=PSK  Enc=AES(128)  Mac=SHA1
DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(256) Mac=SHA1
DHE-DSS-CAMELLIA256-SHA SSLv3 Kx=DH       Au=DSS  Enc=Camellia(256) Mac=SHA1
EDH-RSA-DES-CBC3-SHA    SSLv3 Kx=DH       Au=RSA  Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA    SSLv3 Kx=DH       Au=DSS  Enc=3DES(168) Mac=SHA1
DHE-RSA-SEED-SHA        SSLv3 Kx=DH       Au=RSA  Enc=SEED(128) Mac=SHA1
DHE-DSS-SEED-SHA        SSLv3 Kx=DH       Au=DSS  Enc=SEED(128) Mac=SHA1
DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(128) Mac=SHA1
DHE-DSS-CAMELLIA128-SHA SSLv3 Kx=DH       Au=DSS  Enc=Camellia(128) Mac=SHA1
EDH-RSA-DES-CBC-SHA     SSLv3 Kx=DH       Au=RSA  Enc=DES(56)   Mac=SHA1
EDH-DSS-DES-CBC-SHA     SSLv3 Kx=DH       Au=DSS  Enc=DES(56)   Mac=SHA1
EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512)  Au=RSA  Enc=DES(40)   Mac=SHA1 export
EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512)  Au=DSS  Enc=DES(40)   Mac=SHA1 export

Is this a worthy issue?

We're weighing academic vulnerabilities. RC4 is academically weaker than AES. AES is academically weaker if you get the client to run undesired code.

It's good to be informed of risks, but after doing some searching people are coming across this issue as a result of PCI-DSS scans. The auditor is seeing this in their automated tool and reacting. If the end user is running undesired code, then a greater root issue happened: Your site is compromised through something like XSS and you need to fix that or their machine is compromised (directly or running cross-site code from another site) and the attacker can probably run even more malicious software. Modern browsers should be adapting by kicking out a one byte packet at the start of the connection to crank the padding up and negate the attack too.

In a lot of ways, it's really on the client here. If you're going to concern yourself with client privacy, ensuring your site is not compromised is the higher order issue in my mind. Given that, SSL doesn't do a lot to help a client that is running something locally malicious, so now we're back to looking at the stronger AES cipher.

... but, to pass the audit without an argument and watch your customers' backs (basically what Google is trying to do to some margin), RC4 gets you there today. Hopefully a higher version of TLS gets everybody there tomorrow, but that progress is practically glacial.

Community
  • 1
Jeff Ferland
  • 38,090
  • 9
  • 93
  • 171
  • 2
    Actually none of this helps me because it all talks about specific ciphers, what I'm looking for is a working setting for the mod_ssl configuration `SSLCipherSuite` and I can't figure it out because I don't understand the underlying principles. A good answer to that question IMO would suggest a couple of possible values for that specific parameter. – markus-tharkun May 25 '12 at 15:13
  • @markus-tharkun Thank you... good feedback! I'll get on that. :) – Jeff Ferland May 25 '12 at 15:19
  • That would indeed be very helpful! – markus-tharkun May 25 '12 at 15:27
  • And I think it could become canonical, since everybody who does a Nessus scan, and googles the ID or name of the plugin would find this answer. – markus-tharkun May 25 '12 at 15:28
  • Great! That helps a lot, I'll try things out and repeat the scan and report back. – markus-tharkun May 25 '12 at 16:09
  • If I only get the second line when verifying, would this mean that my system doesn't support your later addition? – markus-tharkun May 25 '12 at 16:49
  • 1
    @markus-tharkun That's probably the case. I wouldn't worry about it -- the second line is the more supported one. The first is kind of a personal preference of pushing perfect forward secrecy exchanges where I can. – Jeff Ferland May 25 '12 at 16:51
  • Why did you wrap the cipher suite in quotes again, I think I knew and forgot? Is it necessary? – markus-tharkun Apr 06 '13 at 14:53
  • @markus-tharkun Just habit with longer arguments. You can quote anything on the CLI, even when not needed. – Jeff Ferland Apr 06 '13 at 15:02
1

we are using this SSLProtocol all -SSLv2 -TLSv1

SSLCipherSuite ECDHE-RSA-AES256-SHA384:!AES:!AES256-SHA256:!AES256-SHA256:RC4:HIGH:!MD5:!SSLv2:!ADH:!aNULL:!eNULL:!NULL:!DH:!ADH:!EDH:!AESGCM:!DES-CBC3-SHA

But, we are failing 403labs PCI scan anyway (looks like they are using same plugin/nessus), and Qualys SSL labs test says we are PCI compliant... https://www.ssllabs.com/ssltest/index.html

Ivan Lotina
  • 11
  • 1