hardening ssl ciphers

hardening ssl ciphers

Hardening ssl ciphers. I wrote a post previously about disabling sslv2 and enabling sslv3 and tlsv1. Times have changed since then, its been best-practice for a long time now to only use tlsv1.1 and tlsv1.2 with forward secrecy. This post replaces the previous post, and will be updated with the latest best-practices as they appear.

tl;dr
Reasoning
Operating System
Tools
CentOS / Apache
sshd

ssh client

TL;DR


EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

Reasoning

Pretty much the reason to do this is because of a spate of attacks on the ssl ciphers themselves (and other things).
BEAST
POODLE
CRIME
at the same time you disable a load of weak ciphers that are easily broken (DES, etc)

Tools to test your config:

SSLLabs – a free tool to check the config of your web server’s ciphers. Simply enter your domain name and the tool will do the rest.


openssl ciphers -v 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'

hardening ssl ciphers in your operating system

The first thing you need to do is to get openssl >= 1.0.1c (or libressl) now that you have your base libraries updated, you can support TLSv1/2 and EECDH

hardening ssl ciphers in centos with apache

create a file in /etc/httpd/conf.d (I call it ssl-ciphers.conf) – this way it gets automatically included when apache starts


SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLInsecureRenegotiation off

There are others who suggest slightly different things, and others who suggest the same

hardening ssl ciphers in sshd

open the /etc/ssh/sshd_config


Protocol 2
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com

You can get more info here

hardening ssl ciphers in ssh clients


HashKnownHosts yes
Host github.com
    MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-512
Host *
  ConnectTimeout 30
  KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
  MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
  Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
  ServerAliveInterval 10
  ControlMaster auto
  ControlPersist yes
  ControlPath ~/.ssh/socket-%r@%h:%p

You can get more info here

hardening ssl ciphers in qmail

Edit/create /var/qmail/control/tlsserverciphers
and add the following line to it:

EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

Now restart qmail, and you’re done!

hardening ssl ciphers in courier-imap

Edit the following files:

/etc/courier-imap/pop3d-ssl
/etc/courier-imap/imapd-ssl

TLS_CIPHER_LIST="EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
  • Brandon Martin

    I’ve added these configs to my nginx servers to harden the ssl:

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    ssl_prefer_server_ciphers on;

    Place them in the http block. Generate the dhparam with openssl: openssl dhparam -out dhparam.pem 4096