Adrian Jenzer
2021-Jun-30 09:03 UTC
[CentOS] Centos 8 crypto-policy to get SSL Labs A rating
Dear Community I try to get an SSL Labs A rating for my CentOS8 Apache-server. I'am sure it has to do with my lack of understanding the crypto-policies configuration, can anybody give me an advice where i am wrong? My understanding is that the configuration in the pmod-file will override the ssl.conf values if PROFILE=SYSTEM is active. *** # Current runtime policy dump # DEFAULT:HTTPS arbitrary_dh_groups = 1 cipher = AES-256-GCM AES-256-CCM CHACHA20-POLY1305 AES-256-CTR AES-256-CBC AES-128-GCM AES-128-CCM AES-128-CTR AES-128-CBC group = X25519 X448 SECP256R1 SECP384R1 SECP521R1 FFDHE-2048 FFDHE-3072 FFDHE-4096 FFDHE-6144 FFDHE-8192 hash = SHA2-256 SHA2-384 SHA2-512 SHA3-256 SHA3-384 SHA3-512 SHA2-224 SHA1 ike_protocol = IKEv2 key_exchange = ECDHE DHE DHE-RSA DHE-PSK ECDHE-PSK ECDHE-GSS DHE-GSS mac = AEAD HMAC-SHA2-256 HMAC-SHA1 UMAC-128 HMAC-SHA2-384 HMAC-SHA2-512 min_dh_size = 2048 min_dsa_size = 2048 min_dtls_version = DTLS1.2 min_rsa_size = 2048 min_tls_version = TLS1.2 protocol = TLS1.3 TLS1.2 DTLS1.2 sha1_in_certs = 1 sign = ECDSA-SHA3-256 ECDSA-SHA2-256 ECDSA-SHA3-384 ECDSA-SHA2-384 ECDSA-SHA3-512 ECDSA-SHA2-512 EDDSA-ED25519 EDDSA-ED448 RSA-PSS-SHA2-256 RSA-PSS-SHA2-384 RSA-PSS-SHA2-512 RSA-SHA3-256 RSA-SHA2-256 RSA-SHA3-384 RSA-$ ssh_certs = 1 ssh_cipher = AES-256-GCM AES-256-CCM CHACHA20-POLY1305 CAMELLIA-256-GCM AES-256-CTR AES-256-CBC CAMELLIA-256-CBC AES-128-GCM AES-128-CCM CAMELLIA-128-GCM AES-128-CTR AES-128-CBC CAMELLIA-128-CBC ssh_etm = 1 ssh_group = X25519 X448 SECP256R1 SECP384R1 SECP521R1 FFDHE-2048 FFDHE-3072 FFDHE-4096 FFDHE-6144 FFDHE-8192 tls_cipher = AES-256-GCM AES-256-CCM CHACHA20-POLY1305 AES-256-CBC AES-128-GCM AES-128-CCM AES-128-CBC *** cat /etc/crypto-policies/policies/modules/HTTPS.pmod cipher = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 *** Part of /etc/httpd/conf.d/ssl.conf *** # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on # List the protocol versions which clients are allowed to connect with. # The OpenSSL system profile is used by default. See # update-crypto-policies(8) for more details. #SSLProtocol all -SSLv3 #SSLProxyProtocol all -SSLv3 SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2 # User agents such as web browsers are not configured for the user's # own preference of either security or performance, therefore this # must be the prerogative of the web server administrator who manages # cpu load versus confidentiality, so enforce the server's cipher order. SSLHonorCipherOrder on # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. # The OpenSSL system profile is configured by default. See # update-crypto-policies(8) for more details. SSLCipherSuite PROFILE=SYSTEM #SSLProxyCipherSuite PROFILE=SYSTEM #SSLCipherSuite HIGH:!aNULL:!MD5 #SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256 Thanks for any hint! Adrian
Paul Heinlein
2021-Jun-30 14:08 UTC
[CentOS] Centos 8 crypto-policy to get SSL Labs A rating
On Wed, 30 Jun 2021, Adrian Jenzer wrote:> Dear Community > > I try to get an SSL Labs A rating for my CentOS8 Apache-server. > I'am sure it has to do with my lack of understanding the crypto-policies configuration, can anybody give me an advice where i am wrong? > My understanding is that the configuration in the pmod-file will override the ssl.conf values if PROFILE=SYSTEM is active.I personally skip the crypto-policy for Apache, relying on a traditional httpd.conf stanza instead: <IfModule mod_ssl.c> # ... SSLCipherSuite "EECDH+AESGCM:EDH+AESGCM" SSLProtocol -all +TLSv1.3 +TLSv1.2 </IfModule> In conjunction with other TLS best practices, these settings seem to do the trick (read: Qualys likes them), albeit while excluding some older browsers. -- Paul Heinlein heinlein at madboa.com 45.38? N, 122.59? W
Jamie Burchell
2021-Jul-02 12:02 UTC
[CentOS] Centos 8 crypto-policy to get SSL Labs A rating
This tool might be of interest to you: https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=intermediate&openssl=1.1.1d&guideline=5.6 Don't forget to configure to match your software versions and requirements. Cheers, Jamie On Wed, 30 Jun 2021 at 10:03, Adrian Jenzer <a.jenzer at herzogdemeuron.com> wrote:> Dear Community > > I try to get an SSL Labs A rating for my CentOS8 Apache-server. > I'am sure it has to do with my lack of understanding the crypto-policies > configuration, can anybody give me an advice where i am wrong? > My understanding is that the configuration in the pmod-file will override > the ssl.conf values if PROFILE=SYSTEM is active. > > > *** > # Current runtime policy dump > # DEFAULT:HTTPS > arbitrary_dh_groups = 1 > cipher = AES-256-GCM AES-256-CCM CHACHA20-POLY1305 AES-256-CTR AES-256-CBC > AES-128-GCM AES-128-CCM AES-128-CTR AES-128-CBC > group = X25519 X448 SECP256R1 SECP384R1 SECP521R1 FFDHE-2048 FFDHE-3072 > FFDHE-4096 FFDHE-6144 FFDHE-8192 > hash = SHA2-256 SHA2-384 SHA2-512 SHA3-256 SHA3-384 SHA3-512 SHA2-224 SHA1 > ike_protocol = IKEv2 > key_exchange = ECDHE DHE DHE-RSA DHE-PSK ECDHE-PSK ECDHE-GSS DHE-GSS > mac = AEAD HMAC-SHA2-256 HMAC-SHA1 UMAC-128 HMAC-SHA2-384 HMAC-SHA2-512 > min_dh_size = 2048 > min_dsa_size = 2048 > min_dtls_version = DTLS1.2 > min_rsa_size = 2048 > min_tls_version = TLS1.2 > protocol = TLS1.3 TLS1.2 DTLS1.2 > sha1_in_certs = 1 > sign = ECDSA-SHA3-256 ECDSA-SHA2-256 ECDSA-SHA3-384 ECDSA-SHA2-384 > ECDSA-SHA3-512 ECDSA-SHA2-512 EDDSA-ED25519 EDDSA-ED448 RSA-PSS-SHA2-256 > RSA-PSS-SHA2-384 RSA-PSS-SHA2-512 RSA-SHA3-256 RSA-SHA2-256 RSA-SHA3-384 > RSA-$ > ssh_certs = 1 > ssh_cipher = AES-256-GCM AES-256-CCM CHACHA20-POLY1305 CAMELLIA-256-GCM > AES-256-CTR AES-256-CBC CAMELLIA-256-CBC AES-128-GCM AES-128-CCM > CAMELLIA-128-GCM AES-128-CTR AES-128-CBC CAMELLIA-128-CBC > ssh_etm = 1 > ssh_group = X25519 X448 SECP256R1 SECP384R1 SECP521R1 FFDHE-2048 > FFDHE-3072 FFDHE-4096 FFDHE-6144 FFDHE-8192 > tls_cipher = AES-256-GCM AES-256-CCM CHACHA20-POLY1305 AES-256-CBC > AES-128-GCM AES-128-CCM AES-128-CBC > > *** > cat /etc/crypto-policies/policies/modules/HTTPS.pmod > cipher > ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 > *** > > Part of /etc/httpd/conf.d/ssl.conf > *** > # SSL Engine Switch: > # Enable/Disable SSL for this virtual host. > SSLEngine on > > # List the protocol versions which clients are allowed to connect with. > # The OpenSSL system profile is used by default. See > # update-crypto-policies(8) for more details. > #SSLProtocol all -SSLv3 > #SSLProxyProtocol all -SSLv3 > SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2 > > # User agents such as web browsers are not configured for the user's > # own preference of either security or performance, therefore this > # must be the prerogative of the web server administrator who manages > # cpu load versus confidentiality, so enforce the server's cipher order. > SSLHonorCipherOrder on > > # SSL Cipher Suite: > # List the ciphers that the client is permitted to negotiate. > # See the mod_ssl documentation for a complete list. > # The OpenSSL system profile is configured by default. See > # update-crypto-policies(8) for more details. > SSLCipherSuite PROFILE=SYSTEM > #SSLProxyCipherSuite PROFILE=SYSTEM > #SSLCipherSuite HIGH:!aNULL:!MD5 > #SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256 > > > > Thanks for any hint! > Adrian > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos >