Preface

Do not talk unencrypted

Neboltai

Acknowledgements

We would like to express our thanks to the following reviewers and people who have generously offered their time and interest (in alphabetical order):

Brown, Scott
Brulebois, Cyril
Burghardt, Krzysztof
Dirksen-Thedens, Mathis
Dulaunoy, Alexandre
Endres, Johannes
Gühring Philipp
Grigg, Ian
Haslinger, Gunnar
Huebl, Axel
Knecht, Pascal
Koetter, Patrick Ben
Kovacic, Daniel
Lenzhofer, Stefan
Lorünser, Thomas
Maass, Max
Mehlmauer, Christian
Millauer, Tobias
Mirbach, Andreas
O’Brien, Hugh
Pacher, Christoph
Palfrader, Peter
Pape, Tobias (layout)
Petukhova, Anna (Logo)
Pichler, Patrick
Riebesel, Nicolas
Roeckx, Kurt
Roesen, Jens
Rublik, Martin
Schiffbauer, Marc
Schosser, Andreas
Schüpany, Mathias
Schulze, Andreas
Schwartzkopff, Michael
Schwarz, René («DigNative»)
Seidl, Eva (PDF layout)
Van Horenbeeck, Maarten
Wagner, Sebastian («sebix»)
Zangerl, Alexander

The reviewers did review parts of the document in their area of expertise; all remaining errors in this document are the sole responsibility of the primary authors.

Abstract

Unfortunately, the computer security and cryptology communities have drifted apart over the last 25 years. Security people don’t always understand the available crypto tools, and crypto people don’t always understand the real-world problems.

— Ross Anderson
(Anderson, 2008)

This guide arose out of the need for system administrators to have an updated, solid, well researched and thought-through guide for configuring SSL, PGP, SSH and other cryptographic tools in the post-Snowden age. Triggered by the NSA leaks in the summer of 2013, many system administrators and IT security officers saw the need to strengthen their encryption settings. This guide is specifically written for these system administrators.

As Schneier noted in (Schneier, 2013), it seems that intelligence agencies and adversaries on the Internet are not breaking so much the mathematics of encryption per se, but rather use software and hardware weaknesses, subvert standardization processes, plant backdoors, rig random number generators and most of all exploit careless settings in server configurations and encryption systems to listen in on private communications. Worst of all, most communication on the internet is not encrypted at all by default (for SMTP, opportunistic TLS would be a solution).

This guide can only address one aspect of securing our information systems: getting the crypto settings right to the best of the authors' current knowledge. Other attacks, as the above mentioned, require different protection schemes which are not covered in this guide. This guide is not an introduction to cryptography. For background information on cryptography and cryptoanalysis we would like to refer the reader to the references in appendix Links and Suggested Reading at the end of this document.

The focus of this guide is merely to give current best practices for configuring complex cipher suites and related parameters in a copy & paste-able manner. The guide tries to stay as concise as is possible for such a complex topic as cryptography. Naturally, it can not be complete. There are many excellent guides (II & SYM, 2012) and best practice documents available when it comes to cryptography. However none of them focuses specifically on what an average system administrator needs for hardening his or her systems' crypto settings.

This guide tries to fill this gap.

The guide was produced in an open source manner: every step of editing can be traced back to a specific author via our version control system.

I: Introduction

1. Audience

Sysadmins. Sysadmins. Sysadmins. They are a force-multiplier.

2. Related publications

Ecrypt II [ii2011ecrypt]

Ecrypt II (II & SYM, 2012), ENISA’s report on Algorithms, key sizes and parameters (ENISA and Vincent Rijmen, Nigel P. Smart, Bogdan warinschi, Gaven Watson, 2013) and BSI’s Technische Richtlinie TR-02102 (für Sicherheit in der Informationstechnik (BSI), 2018) are great publications which are more in depth than this guide. However, this guide has a different approach: it focuses on copy & paste-able settings for system administrators, effectively breaking down the complexity in the above mentioned reports to an easy to use format for the intended target audience.

3. How to read this guide

This guide tries to accommodate two needs: first of all, having a handy reference on how to configure the most common services’ crypto settings and second of all, explain a bit of background on cryptography. This background is essential if the reader wants to choose his or her own cipher string settings.

System administrators who want to copy & paste recommendations quickly without spending a lot of time on background reading on cryptography or cryptanalysis can do so, by simply searching for the corresponding section in Best Practice.

It is important to know that in this guide the authors arrived at two recommendations: Cipher string A and Cipher string B. While the former is a hardened recommendation a latter is a weaker one but provides wider compatibility. Cipher strings A and B are described in Recommended cipher suites.

However, for the quick copy & paste approach it is important to know that this guide assumes users are happy with Cipher string B.

While Best Practice is intended to serve as a copy & paste reference, Theory explains the reasoning behind cipher string B. In particular Architectural overview explains how to choose individual cipher strings. We advise the reader to actually read this section and challenge our reasoning in choosing Cipher string B and to come up with a better or localized solution.

4. Disclaimer

A chain is no stronger than its weakest link, and life is after all a chain.
— William James
Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it.
— Edward Snowden
answering questions live on the Guardian’s website

This guide specifically does not address physical security, protecting software and hardware against exploits, basic IT security housekeeping, information assurance techniques, traffic analysis attacks, issues with key-roll over and key management, securing client PCs and mobile devices (theft, loss), proper Operations Security, social engineering attacks, protection against tempest (i_wikipedia_Tempest (codename)_, 2018) attack techniques, thwarting different side-channel attacks (timing–, cache timing–, differential fault analysis, differential power analysis or power monitoring attacks), downgrade attacks, jamming the encrypted channel or other similar attacks which are typically employed to circumvent strong encryption.

The authors can not overstate the importance of these other techniques. Interested readers are advised to read about these attacks in detail since they give a lot of insight into other parts of cryptography engineering which need to be dealt with[1]) ].

This guide does not talk much about the well-known insecurities of trusting a public-key infrastructure (PKI)[2]. Nor does this text fully explain how to run your own Certificate Authority (CA).

Most of this zoo of information security issues are addressed in the very comprehensive book Security Engineering by Ross Anderson (Anderson, 2008).

For some experts in cryptography this text might seem too informal. However, we strive to keep the language as non-technical as possible and fitting for our target audience: system administrators who can collectively improve the security level for all of their users.

Security is a process, not a product.
— Bruce Schneier

This guide can only describe what the authors currently believe to be the best settings based on their personal experience and after intensive cross checking with literature and experts. For a complete list of people who reviewed this paper, see the <acknowledgements>. Even though multiple specialists reviewed the guide, the authors can give no guarantee whatsoever that they made the right recommendations. Keep in mind that tomorrow there might be new attacks on some ciphers and many of the recommendations in this guide might turn out to be wrong.

We therefore recommend that system administrators keep up to date with recent topics in IT security and cryptography.

In this sense, this guide is very focused on getting the cipher strings done right even though there is much more to do in order to make a system more secure. We the authors, need this document as much as the reader needs it.

4.1. Scope

In this guide, we restricted ourselves to:

  • Internet-facing services

  • Commonly used services

  • Devices which are used in business environments (this specifically excludes

  • XBoxes, Playstations and similar consumer devices)

  • OpenSSL

We explicitly excluded:

  • Specialized systems (such as medical devices, most embedded systems,

  • industrial control systems, etc.)

  • Wireless Access Points

  • Smart-cards/chip cards

5. Methods

C.O.S.H.E.R - completely open source, headers, engineering and research.
— A. Kaplan
His mail signature for many years

For writing this guide, we chose to collect the most well researched facts about cryptography settings and let as many trusted specialists as possible review those settings. The review process is completely open and done on a public mailing list.

The document is available (read-only) to the public Internet on the web page and the source code of this document is on a public git server, mirrored on GitHub.com and open for public scrutiny. However, write permissions to the document are only granted to vetted people. The list of reviewers can be found in <acknowledgements>.

Every write operation to the document is logged via the git version control system and can thus be traced back to a specific author. We accept git pull requests on the github mirror for this paper.

Public peer-review and multiple eyes checking of our guide is the best strategy we can imagine at the present moment [3].

We invite the gentle reader to participate in this public review process. Please read the CONTRIBUTING document.

II: Best Practice

6. Webservers

6.1. Apache

Note that any cipher suite starting with EECDH can be omitted, if in doubt. (Compared to the theory section, EECDH in Apache and ECDHE in OpenSSL are synonyms [4])

6.1.1. Tested with Versions

  • Apache 2.2.22, Debian Wheezy with OpenSSL 1.0.1e

  • Apache 2.4.6, Debian Jessie with OpenSSL 1.0.1e

  • Apache 2.4.10, Debian Jessie 8.2 with OpenSSL 1.0.1k

  • Apache 2.4.7, Ubuntu 14.04.2 Trusty with OpenSSL 1.0.1f

  • Apache 2.4.6, CentOS Linux 7 (Core) with OpenSSL 1.0.1e

  • Apache 2.4.18, Ubuntu 16.04.3 LTS with OpenSSL 1.0.2g

6.1.2. Settings

Enabled modules SSL and Headers are required.

Listing 1. SSL configuration for an Apache vhost
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCompression off

Header always set Strict-Transport-Security "max-age=15768000"      (1)
# Strict-Transport-Security: "max-age=15768000 ; includeSubDomains" (2)

Header always set Public-Key-Pins "pin-sha256=\"YOUR_HASH=\"; pin-sha256=\"YOUR_BACKUP_HASH=\"; max-age=7776000; report-uri=\"https://YOUR.REPORT.URL\"" (3)
SSLCipherSuite 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA'
1 Add six earth month HSTS header for all users…​
2 If you want to protect all subdomains, use the following header. ALL subdomains HAVE TO support HTTPS if you use this!
3 CALL subdomains HAVE TO support HTTPS if you use this! At least use one Backup-Key and/or add whole CA, think of Cert-Updates!

6.1.3. Additional settings

You might want to redirect everything to https:// if possible. In Apache you can do this with the following setting inside of a VirtualHost environment:

Listing 2. https auto-redirect vhost
<VirtualHost *:80>
    Redirect permanent / https://SERVER_NAME/
</VirtualHost>

6.1.4. References

6.1.5. How to test

See appendix Tools

6.2. lighttpd

6.2.1. Tested with Versions

  • lighttpd/1.4.31-4 with OpenSSL 1.0.1e on Debian Wheezy

  • lighttpd/1.4.33 with OpenSSL 0.9.8o on Debian Squeeze (note that TLSv1.2 does not work in openssl 0.9.8 thus not all ciphers actually work)

  • lighttpd/1.4.28-2 with OpenSSL 0.9.8o on Debian Squeeze (note that TLSv1.2 does not work in openssl 0.9.8 thus not all ciphers actually work)

  • lighttpd/1.4.31, Ubuntu 14.04.2 Trusty with Openssl 1.0.1f

6.2.2. Settings

Listing 3. SSL configuration for lighttpd
$SERVER["socket"] == "0.0.0.0:443" {
    ssl.engine = "enable"
    ssl.use-sslv2 = "disable"
    ssl.use-sslv3 = "disable"
    ssl.pemfile = "/etc/lighttpd/server.pem"
    ssl.ca-file = "/etc/ssl/certs/server.crt"

    ssl.cipher-list = "EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA"
    ssl.honor-cipher-order = "enable"
    setenv.add-response-header  = ( "Strict-Transport-Security" => "max-age=15768000") # six months
    # use this only if all subdomains support HTTPS!
    # setenv.add-response-header  = ( "Strict-Transport-Security" => "max-age=15768000; includeSubDomains")
}

Starting with lighttpd version 1.4.29 Diffie-Hellman and Elliptic-Curve Diffie-Hellman key agreement protocols are supported. By default, elliptic curve "prime256v1" (also "secp256r1") will be used, if no other is given. To select special curves, it is possible to set them using the configuration options ssl.dh-file and ssl.ec-curve.

Listing 4. SSL EC/DH configuration for lighttpd
# use group16 dh parameters
ssl.dh-file = "/etc/lighttpd/ssl/dh4096.pem"
ssl.ec-curve = "secp384r1"

Please read section A note on Diffie Hellman Key Exchanges for more information on Diffie Hellman key exchange and elliptic curves.

6.2.3. Additional settings

As for any other webserver, you might want to automatically redirect http:// traffic toward https://. It is also recommended to set the environment variable HTTPS, so the PHP applications run by the webserver can easily detect that HTTPS is in use.

Listing 5. https auto-redirect configuration
$HTTP["scheme"] == "http" {
    # capture vhost name with regex condition -> %0 in redirect pattern
    # must be the most inner block to the redirect rule
    $HTTP["host"] =~ ".*" {
        url.redirect = (".*" => "https://%0$0")
    }
    # Set the environment variable properly
    setenv.add-environment = (
        "HTTPS" => "on"
    )
}

6.2.4. Additional information

The config option honor-cipher-order is available since 1.4.30, the supported ciphers depend on the used OpenSSL-version (at runtime). ECDHE has to be available in OpenSSL at compile-time, which should be default. SSL compression should by deactivated by default at compile-time (if not, it’s active).

Support for other SSL-libraries like GnuTLS will be available in the upcoming 2.x branch, which is currently under development.

6.2.6. How to test

See appendix Tools

6.3. nginx

6.3.1. Tested with Version

  • 1.4.4 with OpenSSL 1.0.1e on OS X Server 10.8.5

  • 1.2.1-2.2+wheezy2 with OpenSSL 1.0.1e on Debian Wheezy

  • 1.4.4 with OpenSSL 1.0.1e on Debian Wheezy

  • 1.2.1-2.2 bpo60+2 with OpenSSL 0.9.8o on Debian Squeeze (note that TLSv1.2 does not work in openssl 0.9.8 thus not all ciphers actually work)

  • 1.4.6 with OpenSSL 1.0.1f on Ubuntu 14.04.2 LTS

6.3.2. Settings

Listing 6. SSL settings for nginx
ssl on;
ssl_certificate cert.pem;
ssl_certificate_key cert.key;

ssl_session_timeout 5m;

ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # not possible to do exclusive
ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA';
add_header Strict-Transport-Security max-age=15768000; # six months
# add_header Strict-Transport-Security "max-age=15768000; includeSubDomains"; (1)
1 Use this only if all subdomains support HTTPS!

If you absolutely want to specify your own DH parameters, you can specify them via

ssl_dhparam file;

However, we advise you to read section A note on Diffie Hellman Key Exchanges and stay with the standard IKE/IETF parameters (as long as they are >1024 bits).

6.3.3. Additional settings

If you decide to trust NIST’s ECC curve recommendation, you can add the following line to nginx’s configuration file to select special curves:

Listing 7. SSL EC/DH settings for nginx
ssl_ecdh_curve secp384r1;

You might want to redirect everything to https:// if possible. In Nginx you can do this with the following setting:

Listing 8. https auto-redirect in nginx
return 301 https://$server_name$request_uri;

The variable $server_name refers to the first server_name entry in your config file. If you specify more than one server_name only the first will be taken. Please be sure to not use the $host variable here because it contains data controlled by the user.

6.3.4. References

6.3.5. How to test

See appendix Tools

6.4. Cherokee

6.4.1. Tested with Version

  • Cherokee/1.2.104 on Debian Wheezy with OpenSSL 1.0.1e 11 Feb 2013

6.4.2. Settings

The configuration of the cherokee webserver is performed by an admin interface available via the web. It then writes the configuration to /etc/cherokee/cherokee.conf, the important lines of such a configuration file can be found at the end of this section.

  • General Settings

    • Network

      • SSL/TLS back-end: OpenSSL/libssl

    • Ports to listen

      • Port: 443, TLS: TLS/SSL port

  • Virtual Servers, For each vServer on tab Security:

    • Required SSL/TLS Values: Fill in the correct paths for Certificate and Certificate key

  • Advanced Options

    • Ciphers:

      EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA
      • Server Preference: Prefer

      • Compression: Disabled

  • Advanced: TLS

    • SSL version 2 and SSL version 3: No

    • TLS version 1, TLS version 1.1 and TLS version 1.2: Yes

6.4.3. Additional settings

For each vServer on the Security tab it is possible to set the Diffie Hellman length to up to 4096 bits. We recommend to use >1024 bits. More information about Diffie-Hellman and which curves are recommended can be found in section A note on Diffie Hellman Key Exchanges.

In Advanced: TLS it is possible to set the path to a Diffie Hellman parameters file for 512, 1024, 2048 and 4096 bits.

HSTS can be configured on host-basis in section vServers / Security / HTTP Strict Transport Security (HSTS):

  • Enable HSTS: Accept

  • HSTS Max-Age: 15768000

  • Include Subdomains: depends on your setup

To redirect HTTP to HTTPS, configure a new rule per Virtual Server in the Behavior tab. The rule is SSL/TLS combined with a NOT operator. As Handler define Redirection and use /(.*)$ as Regular Expression and +https://$\{host}/$1+ as Substitution.

Listing 9. SSL configuration for cherokee
server!bind!2!port = 443
server!bind!2!tls = 1
server!tls = libssl
vserver!1!hsts = 1
vserver!1!hsts!max_age = 15768000
vserver!1!hsts!subdomains = 1
vserver!1!rule!5!handler = redir
vserver!1!rule!5!handler!rewrite!10!regex = /(.*)$
vserver!1!rule!5!handler!rewrite!10!show = 1
vserver!1!rule!5!handler!rewrite!10!substring = https://${host}/$1
vserver!1!rule!5!handler!type = just_about
vserver!1!rule!5!match = not
vserver!1!rule!5!match!right = tls
vserver!1!ssl_certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
vserver!1!ssl_certificate_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
vserver!1!ssl_cipher_server_preference = 1
vserver!1!ssl_ciphers = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA
vserver!1!ssl_compression = 0
vserver!1!ssl_dh_length = 2048

6.4.5. How to test

See appendix Tools

6.5. MS IIS

To configure SSL/TLS on Windows Server IIS Crypto can be used. Simply start the Programm, no installation required. The tool changes the registry keys described below. A restart is required for the changes to take effect.

IIS Crypto Tool

Instead of using the IIS Crypto Tool the configuration can be set using the Windows Registry. The following Registry keys apply to the newer Versions of Windows (Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012 and Windows Server 2012 R2). For detailed information about the older versions see the Microsoft knowledgebase article How to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Ciphers]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\CipherSuites]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Hashes]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\KeyExchangeAlgorithms]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols]

6.5.1. Tested with Version

  • Windows Server 2008

  • Windows Server 2008 R2

  • Windows Server 2012

  • Windows Server 2012 R2

  • Windows Vista and Internet Explorer 7 and upwards

  • Windows 7 and Internet Explorer 8 and upwards

  • Windows 8 and Internet Explorer 10 and upwards

  • Windows 8.1 and Internet Explorer 11

6.5.2. Settings

When trying to avoid RC4 (RC4 biases) as well as CBC (BEAST-Attack) by using GCM and to support perfect forward secrecy, Microsoft SChannel (SSL/TLS, Auth,.. Stack) supports ECDSA but lacks support for RSA signatures (see ECC suite B doubts).

Since one is stuck with ECDSA, an elliptic curve certificate needs to be used.

The configuration of cipher suites MS IIS will use, can be configured in one of the following ways:

Table Client support shows the process of turning on one algorithm after another and the effect on the supported clients tested using https://www.ssllabs.com.

SSL 3.0, SSL 2.0 and MD5 are turned off. TLS 1.0 and TLS 1.2 are turned on.

Table 1. Client support
Cipher Suite Client

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256+

only IE 10,11, OpenSSL 1.0.1e

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256+

Chrome 30, Opera 17, Safari 6+

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA+

FF 10-24, IE 8+, Safari 5, Java 7

Table Client support shows the algorithms from strongest to weakest and why they need to be added in this order. For example insisting on SHA-2 algorithms (only first two lines) would eliminate all versions of Firefox, so the last line is needed to support this browser, but should be placed at the bottom, so capable browsers will choose the stronger SHA-2 algorithms.

TLS_RSA_WITH_RC4_128_SHA or equivalent should also be added if MS Terminal Server Connection is used (make sure to use this only in a trusted environment). This suite will not be used for SSL, since we do not use a RSA Key.

Clients not supported:

  1. Java 6

  2. WinXP

  3. Bing

6.5.3. Additional settings

It’s recommended to use ´Strict-Transport-Security: max-age=15768000` for detailed information visit the Microsoft knowledgebase article in custom Headers.

You might want to redirect everything to https:// if possible. In IIS you can do this with the following setting by Powershell:

Set-WebConfiguration -Location "$WebSiteName/$WebApplicationName" `
    -Filter 'system.webserver/security/access' `
    -Value "SslRequireCert"

6.5.4. Justification for special settings (if needed)

6.5.6. How to test

See appendix Tools

7. SSH

This section documents the Secure Shell (SSH) protocol. SSH is used to remotely manage computer systems, secururly transfer files over untrusted networks and to create "ad-hoc" virtual-private networks.

SSH is defined by the following Internet Standards (RFCs):

Table 2. SSH Standards
RFC Title Link

4251

The Secure Shell (SSH) Protocol Architecture

https://tools.ietf.org/html/rfc4251

4252

The Secure Shell (SSH) Authentication Protocol

https://tools.ietf.org/html/rfc4252

4253

The Secure Shell (SSH) Transport Layer Protocol

https://tools.ietf.org/html/rfc4253

6668

SHA-2 Data Integrity Verification for the Secure Shell (SSH) Transport Layer Protocol

https://tools.ietf.org/html/rfc6668

8268

More Modular Exponentiation (MODP) Diffie-Hellman (DH) Key Exchange (KEX) Groups for Secure Shell (SSH)

https://tools.ietf.org/html/rfc8268

8308

Extension Negotiation in the Secure Shell (SSH) Protocol

https://tools.ietf.org/html/rfc8308

8332

Use of RSA Keys with SHA-256 and SHA-512 in the Secure Shell (SSH) Protocol

https://tools.ietf.org/html/rfc8332

7.1. OpenSSH

OpenSSH is the most popular implementation of the SSH protocol. It is maintained by the OpenBSD project and portable versions are disitributed with many unix-like operating-systems and Windows Server.

7.1.1. Tested with Version

  • OpenSSH 6.6p1 (Gentoo)

  • OpenSSH 6.6p1-2 on Ubuntu 14.04.2 LTS

  • OpenSSH 7.2p2 on Ubuntu 16.04.3 LTS

7.1.2. Settings

Listing 10. Important OpenSSH 6.6 security settings
# Package generated configuration file
# See the sshd_config(5) manpage for details

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin no # or 'without-password' to allow SSH key based login
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile	%h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Cipher selection
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1


X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
Curve25519

OpenSSH 6.6p1 now supports Curve25519.

7.1.3. Tested with Version

  • OpenSSH 6.5 (Debian Jessie)

7.1.4. Settings

Listing 11. Important OpenSSH 6.5 security settings
# Package generated configuration file
# See the sshd_config(5) manpage for details

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin no # or 'without-password' to allow SSH key based login
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile	%h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Cipher selection
Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
KexAlgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1


X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

7.1.5. Tested with Version

  • OpenSSH 6.0p1 (Debian wheezy)

7.1.6. Settings

Listing 12. Important OpenSSH 6.0 security settings
# Package generated configuration file
# See the sshd_config(5) manpage for details

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin no # or 'without-password' to allow SSH key based login
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile	%h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Cipher selection
Ciphers aes256-ctr,aes128-ctr
MACs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
KexAlgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

Older Linux systems won’t support SHA2. PuTTY (Windows) does not support RIPE-MD160. Curve25519, AES-GCM and UMAC are only available upstream (OpenSSH 6.6p1). DSA host keys have been removed on purpose, the DSS standard does not support for DSA keys stronger than 1024bit [5] which is far below current standards (see section #section:keylengths). Legacy systems can use this configuration and simply omit unsupported ciphers, key exchange algorithms and MACs.

7.1.7. References

The OpenSSH sshd_config — OpenSSH SSH daemon configuration file man page is the best reference:

7.1.8. How to test

Connect a client with verbose logging enabled to the SSH server

$ ssh -vvv myserver.com

and observe the key exchange in the output.

7.2. Cisco ASA

7.2.1. Tested with Versions

  • 9.1(3)

7.2.2. Settings

crypto key generate rsa modulus 2048
ssh version 2
ssh key-exchange group dh-group14-sha1

When the ASA is configured for SSH, by default both SSH versions 1 and 2 are allowed. In addition to that, only a group1 DH-key-exchange is used. This should be changed to allow only SSH version 2 and to use a key-exchange with group14. The generated RSA key should be 2048 bit (the actual supported maximum). A non-cryptographic best practice is to reconfigure the lines to only allow SSH-logins.

7.2.4. How to test

Connect a client with verbose logging enabled to the SSH server

$ ssh -vvv myserver.com

and observe the key exchange in the output.

7.3. Cisco IOS

7.3.1. Tested with Versions

Table 3. Tested Myservice Versions

Program Version

OS/Distribution/Version

Comment

15.0

IOS

15.1

IOS

15.2

IOS

7.3.2. Settings

crypto key generate rsa modulus 4096 label SSH-KEYS
ip ssh rsa keypair-name SSH-KEYS
ip ssh version 2
ip ssh dh min size 2048

line vty 0 15
transport input ssh

Same as with the ASA, also on IOS by default both SSH versions 1 and 2 are allowed and the DH-key-exchange only use a DH-group of 768 Bit. In IOS, a dedicated Key-pair can be bound to SSH to reduce the usage of individual keys-pairs. From IOS Version 15.0 onwards, 4096 Bit rsa keys are supported and should be used according to the paradigm "use longest supported key". Also, do not forget to disable telnet vty access.

7.3.3. References

This guide is a basic SSH reference for all routers and switches. Pleaes refer to the specific documentation of the device and IOS version that you are configuring.

7.3.4. How to test

Connect a client with verbose logging enabled to the SSH server

$ ssh -vvv switch.example.net

and observe the key exchange in the output.

8. Mailservers

This section documents the most common mail servers. Mail servers may usually be grouped into three categories:

  • Mail Submission Agent (MSA)

  • Mail Transfer Agent (MTA) / Mail Exchanger (MX)

  • Mail Delivery Agent (MDA)

An email client (mail user agent, MUA) submits mail to the MSA. This is usually been done using the Simple Mail Transfer Protocol (SMTP). Afterwards, the mail is transmitted by the MTA over the Internet to the MTA of the receiver. This happens again via SMTP. Finally, the mail client of the receiver will fetch mail from an MDA usually via the Internet Message Access Protocol (IMAP) or the Post Office Protocol (POP).

As MSAs and MTAs both use SMTP as transfer protocols, both functionalities may often be implemented with the same software. On the other hand, MDA software might or might not implement both IMAP and POP.

8.1. TLS usage in mail server protocols

Email protocols support TLS in two different ways. It may be added as a protocol wrapper on a different port. This method is referred to as Implicit TLS or as protocol variants SMTPS, IMAPS and POP3S. The other method is to establish a cleartext session first and switch to TLS afterwards by issuing the STARTTLS command.

SMTP between MTAs usually makes use of opportunistic TLS. This means that an MTA will accept TLS connections when asked for it but will not require it. MTAs should always try opportunistic TLS handshakes outgoing and always accept incoming opportunistic TLS.

We recommend to use the following settings for Mail Transfer Agents:

  • correctly setup MX, A and PTR RRs without using CNAMEs at all

  • the hostname used as HELO/EHLO in outgoing mail shall match the PTR RR

  • enable opportunistic TLS, using the STARTTLS mechanism on port 25

  • Implicit TLS on port 465 may be offered additionally

  • use server and client certificates (most server certificates are client certificates as well)

  • either the common name or at least an alternate subject name of the certificate shall match the PTR RR (client mode) or the MX RR (server mode)

  • do not use self signed certificates

  • accept all cipher suites, as the alternative would be to fall back to cleartext transmission

  • an execption to the last sentence is that MTAs MUST NOT enable SSLv2 protocol support, due to the DROWN attack.

For MSA operation we recommend:

  • listen on submission port 587 with mandatory STARTTLS

  • optionally listen on port 465 with Implicit TLS

  • enforce SMTP AUTH even for local networks

  • ensure that SMTP AUTH is not allowed on unencrypted connections

  • only use the recommended cipher suites if all connecting MUAs support them

For MDA operation we recommend:

  • listen on the protocol port (143 for IMAP, 110 for POP3) with mandatory STARTTLS

  • optionally listen on Implicit TLS ports (993 for IMAPS, 995 for POP3S)

  • enforce authentication even for local networks

  • make sure that authentication is not allowed on unencrypted connections

  • use the recommended cipher suites if all connecting MUAs support them

  • turn off SSLv2 (see: DROWN attack)

8.3. Dovecot

8.3.1. Tested with Versions

Table 4. Tested Dovecot Versions
Program Version OS/Distribution/Version Comment

2.1.7

Debian Wheezy

without ssl_prefer_server_ciphers

2.2.9

Debian Jessie

2.2.13

Debian 8.2 Jessie

2.0.19apple1

OS X Server 10.8.5

without ssl_prefer_server_ciphers

2.2.9

Ubuntu 14.04 Trusty

2.2.31

Ubuntu 16.04.3 LTS

8.3.2. Settings

Listing 13. Dovecot SSL Configuration
# SSL protocols to use, disable SSL, use TLS only
ssl_protocols = !SSLv3 !SSLv2

# SSL ciphers to use
ssl_cipher_list = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA

# Prefer the server's order of ciphers over client's. (Dovecot >=2.2.6 Required)
ssl_prefer_server_ciphers = yes

# Diffie-Hellman parameters length (Default is 1024, Dovecot >=2.2.7 Required)
# ToDo: for ReGenerating DH-Parameters:
# manually delete /var/lib/dovecot/ssl-parameters.dat and restart
# Dovecot to regenerate /var/lib/dovecot/ssl-parameters.dat
ssl_dh_parameters_length = 2048

# Disable Compression (Dovecot >= 2.2.14 Required)
# ssl_options = no_compression

Dovecot 2.0, 2.1: Almost as good as dovecot 2.2. Dovecot does not ignore unknown configuration parameters. Does not support ssl_prefer_server_ciphers.

8.3.3. Limitations

  • Dovecot <2.2.14 does not support disabling TLS compression.
    In >2.2.14 [6] use: ssl_options = no_compression

  • Dovecot <2.2.7 uses fixed DH parameters.
    In >2.2.7 [7] greater DH-Parameters are supported: ssl_dh_parameters_length = 2048.

8.3.4. References

8.3.5. How to test

$ openssl s_client -crlf -connect example.com:993
$ openssl s_client -crlf -connect example.com:995
$ openssl s_client -crlf -starttls imap -connect example.com:143
$ openssl s_client -crlf -starttls pop3 -connect example.com:110

SSLyze offers scanning for common vulnerabilities and displays Protocols and Cipher-Suites.

$ sslyze.exe --regular example.com:993
$ sslyze.exe --regular example.com:995
$ sslyze.exe --regular --starttls=imap example.com:143
$ sslyze.exe --regular --starttls=pop3 example.com:110

8.4. cyrus-imapd

8.4.1. Tested with Versions

Table 5. Tested cyrus-imapd Versions
Program Version OS/Distribution/Version Comment

2.4.17

8.4.2. Settings

To activate SSL/TLS configure your certificate with

Listing 14. Activating TLS in cyrus
tls_cert_file: /etc/ssl/certs/ssl-cert-snakeoil.pem
tls_key_file: /etc/ssl/private/ssl-cert-snakeoil.key

Do not forget to add necessary intermediate certificates to the .pem file.

Limiting the ciphers provided may force (especially older) clients to connect without encryption at all! Sticking to the defaults is recommended.

If you still want to force strong encryption use

Listing 15. TLS cipher selection in cyrus
tls_cipher_list: EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA

cyrus-imapd loads hardcoded 1024 bit DH parameters using get_rfc2409_prime_1024() by default. If you want to load your own DH parameters add them PEM encoded to the certificate file given in tls_cert_file. Do not forget to re-add them after updating your certificate.

To prevent unencrypted connections on the STARTTLS ports you can set

Listing 16. Force encrypted connections in cyrus
allowplaintext: no

This way MUAs can only authenticate with plain text authentication schemes after issuing the STARTTLS command. Providing CRAM-MD5 or DIGEST-MD5 methods is not recommended.

To support POP3/IMAP on ports 110/143 with STARTTLS and POP3S/IMAPS on ports 995/993 check the SERVICES section in cyrus.conf

Listing 17. STARTTLS for POP3/IMAP and POP3S/IMAPS in cyrus
SERVICES {
    imap  cmd="imapd -U 30"    listen="imap"  prefork=0 maxchild=100
    imaps cmd="imapd -s -U 30" listen="imaps" prefork=0 maxchild=100
    pop3  cmd="pop3d -U 30"    listen="pop3"  prefork=0 maxchild=50
    pop3s cmd="pop3d -s -U 30" listen="pop3s" prefork=0 maxchild=50
}

8.4.3. Limitations

cyrus-imapd currently (2.4.17, trunk) does not support elliptic curve cryptography. Hence, ECDHE will not work even if defined in your cipher list.

Currently there is no way to prefer server ciphers or to disable compression.

There is a working patch for all three features.

8.4.4. How to test

$ openssl s_client -crlf -connect example.com:993

8.5. Postfix

8.5.1. Tested with Versions

Table 6. Tested Postfix Versions
Program Version OS/Distribution/Version Comment

2.9.6

Debian Wheezy

with OpenSSL 1.0.1e

2.11.0

Ubuntu 14.04.02

with OpenSSL 1.0.1f

3.1.0

Ubuntu 16.04.3 LTS

8.5.2. Settings

Postfix has five internal lists of ciphers, and the possibility to switch between those with smtpd_tls_ciphers. However, we leave this at its default value for server to server connections, as many mail servers only support outdated protocols and ciphers. We consider bad encryption still better than plain text transmission. For connections to MUAs, TLS is mandatory and the ciphersuite is modified.

MX and SMTP client configuration:

As discussed in section [smtp_general], because of opportunistic encryption we do not restrict the list of ciphers or protocols for communication with other mail servers to avoid transmission in plain text. There are still some steps needed to enable TLS, all in main.cf:

Listing 18. Opportunistic TLS in Postfix
# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
# log TLS connection info
smtpd_tls_loglevel = 1
smtp_tls_loglevel = 1
# enable opportunistic TLS support in the SMTP server and client
smtpd_tls_security_level = may
smtp_tls_security_level = may
# if you have authentication enabled, only offer it after STARTTLS
smtpd_tls_auth_only = yes
tls_ssl_options = NO_COMPRESSION
MSA:

For the MSA smtpd process which communicates with mail clients, we first define the ciphers that are acceptable for the “mandatory” security level, again in main.cf:

Listing 19. MSA TLS configuration in Postfix
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_protocols = !SSLv2, !SSLv3
lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3
lmtp_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_mandatory_ciphers=high
tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA

Then, we configure the MSA smtpd in master.cf with two additional options that are only used for this instance of smtpd:

Listing 20. MSA smtpd service configuration in Postfix
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (no)    (never) (100)
# ==========================================================================
# ...
submission inet n       -       -       -       -       smtpd
    -o smtpd_tls_security_level=encrypt
    -o tls_preempt_cipherlist=yes
# ...

For those users who want to use EECDH key exchange, it is possible to customize this via: The default value since Postfix 2.8 is “strong”.

Listing 21. EECDH customization in Postfix
smtpd_tls_eecdh_grade = ultra

8.5.3. Limitations

tls_ssl_options is supported from Postfix 2.11 onwards. You can leave the statement in the configuration for older versions, it will be ignored.

tls_preempt_cipherlist is supported from Postfix 2.8 onwards. Again, you can leave the statement in for older versions.

8.5.4. References

8.5.5. Additional settings

Postfix has two sets of built-in DH parameters that can be overridden with the smtpd_tls_dh512_param_file and smtpd_tls_dh1024_param_file options. The “dh512” parameters are used for export ciphers, while the “dh1024” ones are used for all other ciphers.

The “bit length” in those parameter names is just a name, so one could use stronger parameter sets; it should be possible to e.g. use the IKE Group14 parameters (see section [DH] without much interoperability risk, but we have not tested this yet.

8.5.6. How to test

You can check the effect of the settings with the following command:

$ zegrep "TLS connection established from.*with cipher" /var/log/mail.log | awk '{printf("%s %s %s %s\n", $12, $13, $14, $15)}' | sort | uniq -c | sort -n
      1 SSLv3 with cipher DHE-RSA-AES256-SHA
     23 TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384
     60 TLSv1 with cipher ECDHE-RSA-AES256-SHA
    270 TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384
    335 TLSv1 with cipher DHE-RSA-AES256-SHA
$ openssl s_client -starttls smtp -crlf -connect example.com:25

8.6. Exim

8.6.1. Tested with Versions

Table 7. Tested Exim Versions
Program Version OS/Distribution/Version Comment

4.82

Debian Jessie

4.82

Ubuntu 14.04.2

with OpenSSL 1.0.1e

It is highly recommended to read Encrypted SMTP connections using TLS/SSL first.

MSA mode (submission):

In the main config section of Exim add:

Listing 22. Certificate selection in Exim (MSA)
tls_certificate = /etc/ssl/exim.crt
tls_privatekey = /etc/ssl/exim.pem

Don’t forget to add intermediate certificates to the .pem file if needed.

Tell Exim to advertise STARTTLS in the EHLO answer to everyone:

Listing 23. TLS advertise in Exim (MSA)
tls_advertise_hosts = *

If you want to support legacy SMTPS on port 465, and STARTTLS on smtp(25)/submission(587) ports set

Listing 24. STARTTLS and SMTPS in Exim (MSA)
daemon_smtp_ports = smtp : smtps : submission
tls_on_connect_ports = 465

It is highly recommended to limit SMTP AUTH to SSL connections only. To do so add

Listing 25. SSL-only authentication in Exim (MSA)
server_advertise_condition = ${if eq{$tls_cipher}{}{no}{yes}}

to every authenticator defined.

Add the following rules on top of your acl_smtp_mail:

Listing 26. Submission mode in Exim (MSA)
acl_smtp_mail = acl_check_mail
acl_check_mail:

  warn hosts = *
    control = submission/sender_retain
  accept

This switches Exim to submission mode and allows addition of missing “Message-ID” and “Date” headers.

It is not advisable to restrict the default cipher list for MSA mode if you don’t know all connecting MUAs. If you still want to define one please consult the Exim documentation or ask on the exim-users mailinglist.

The cipher used is written to the logfiles by default. You may want to add

log_selector = <whatever your log_selector already contains> +tls_certificate_verified +tls_peerdn +tls_sni

to get even more TLS information logged.

Server mode (incoming):

In the main config section of Exim add:

Listing 27. Certificate selection in Exim (Server)
tls_certificate = /etc/ssl/exim.crt
tls_privatekey = /etc/ssl/exim.pem

Don’t forget to add intermediate certificates to the .pem file if needed.

Tell Exim to advertise STARTTLS in the EHLO answer to everyone:

Listing 28. TLS advertise in Exim (Server)
tls_advertise_hosts = *

Listen on smtp(25) port only:

Listing 29. STARTTLS on SMTP in Exim (Server)
daemon_smtp_ports = smtp

It is not advisable to restrict the default cipher list for opportunistic encryption as used by SMTP. Do not use cipher lists recommended for HTTPS! If you still want to define one please consult the Exim documentation or ask on the exim-users mailinglist.

If you want to request and verify client certificates from sending hosts set

Listing 30. TLS certificate verification in Exim (Server)
tls_verify_certificates = /etc/pki/tls/certs/ca-bundle.crt
tls_try_verify_hosts = *

tls_try_verify_hosts only reports the result to your logfile. If you want to disconnect such clients you have to use

tls_verify_hosts = *

The cipher used is written to the logfiles by default. You may want to add

log_selector = <whatever your log_selector already contains> +tls_certificate_verified +tls_peerdn +tls_sni

to get even more TLS information logged.

Client mode (outgoing):

Exim uses opportunistic encryption in the SMTP transport by default.

Client mode settings have to be done in the configuration section of the smtp transport (driver = smtp).

If you want to use a client certificate (most server certificates can be used as client certificate, too) set

Listing 31. Certificate selection in Exim (Client)
tls_certificate = /etc/ssl/exim.crt
tls_privatekey = /etc/ssl/exim.pem

This is recommended for MTA-MTA traffic.

Do not limit ciphers without a very good reason. In the worst case you end up without encryption at all instead of some weak encryption. Please consult the Exim documentation if you really need to define ciphers.

OpenSSL:

Exim already disables SSLv2 by default. We recommend to add

openssl_options = +all +no_sslv2 +no_sslv3 +no_compression +cipher_server_preference

to the main configuration.

+all is misleading here since OpenSSL only activates the most common workarounds. But that’s how SSL_OP_ALL is defined.

You do not need to set dh_parameters. Exim with OpenSSL by default uses parameter initialization with the “2048-bit MODP Group with 224-bit Prime Order Subgroup” defined in section 2.2 of RFC 5114 (ike23). If you want to set your own DH parameters please read the TLS documentation of exim.

GnuTLS:

GnuTLS is different in only some respects to OpenSSL:

  • tls_require_ciphers needs a GnuTLS priority string instead of a cipher list. It is recommended to use the defaults by not defining this option. It highly depends on the version of GnuTLS used. Therefore it is not advisable to change the defaults.

  • There is no option like openssl_options

Exim string expansion

Most of the options accept expansion strings. This way you can e.g. set cipher lists or STARTTLS advertisement conditionally. Please follow the link to the official Exim documentation to get more information.

Limitations:

Exim currently (4.82) does not support elliptic curves with OpenSSL. This means that ECDHE is not used even if defined in your cipher list. There already is a working patch to provide support.

8.6.2. How to test

$ openssl s_client -starttls smtp -crlf -connect example.com:25

8.7. Cisco ESA/IronPort

8.7.1. Tested with Versions

Table 8. Tested Cisco ESA/IronPort Versions
Program Version OS/Distribution/Version Comment

AsyncOS 7.6.1

AsyncOS 8.5.6

AsyncOS 9.0.0

AsyncOS 9.5.0

AsyncOS 9.6.0

AsyncOS 9.7.0

8.7.2. Settings

Import your certificate(s) using the WEBUI (Network → Certificates).

From AsyncOS 9.0 and up, SSL parameters for inbound SMTP, outbound SMTP and GUI access can be configured in one step via the WEBUI (System Administration → SSL Configuration, see figure IronPort Default SSL Settings). For all versions prior to 9.0, you have to connect to the CLI and configure the SSL parameters separately, as shown below using inbound SMTP as example.

ironport.example.com> sslconfig
sslconfig settings:
  GUI HTTPS method:  sslv3tlsv1
  GUI HTTPS ciphers: RC4-SHA:RC4-MD5:ALL
  Inbound SMTP method:  sslv3tlsv1
  Inbound SMTP ciphers: RC4-SHA:RC4-MD5:ALL
  Outbound SMTP method:  sslv3tlsv1
  Outbound SMTP ciphers: RC4-SHA:RC4-MD5:ALL

Choose the operation you want to perform:
- GUI - Edit GUI HTTPS ssl settings.
- INBOUND - Edit Inbound SMTP ssl settings.
- OUTBOUND - Edit Outbound SMTP ssl settings.
- VERIFY - Verify and show ssl cipher list.
[]> inbound

Enter the inbound SMTP ssl method you want to use.
1. SSL v2.
2. SSL v3
3. TLS v1
4. SSL v2 and v3
5. SSL v3 and TLS v1
6. SSL v2, v3 and TLS v1
[5]> 3

Enter the inbound SMTP ssl cipher you want to use.
[RC4-SHA:RC4-MD5:ALL]> EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA

sslconfig settings:
  GUI HTTPS method:  sslv3tlsv1
  GUI HTTPS ciphers: RC4-SHA:RC4-MD5:ALL
  Inbound SMTP method:  tlsv1
  Inbound SMTP ciphers: EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
  Outbound SMTP method:  sslv3tlsv1
  Outbound SMTP ciphers: RC4-SHA:RC4-MD5:ALL

Starting with AsyncOS 9.0 SSLv3 is disabled by default, whereas the default cipher set is still RC4-SHA:RC4-MD5:ALL (see figure IronPort Default SSL Settings).

IronPort Default SSL Settings
Figure 1. IronPort Default SSL Settings

After committing these changes in the CLI, you have to activate the use of TLS in several locations.

For inbound connections, first select the appropriate certificate in the settings of each listener you want to have TLS enabled on (Network → Listeners, see figure IronPort Default SSL Settings). Afterwards, for each listener, configure all Mail Flow Policies which have their Connection Behavior set to “Accept” or “Relay” to at least prefer TLS (Mail Policies → Mail Flow Policies, see figure IronPort Default SSL Settings). It is recommended to also enable TLS in the default Mail Flow Policy, because these settings will be inherited by newly created policies, unless specifically overwritten. + TLS can be enforced by creating a new Mail Flow Policy with TLS set to “required”, creating a new Sender Group defining the addresses of the sending mail servers for which you want to enforce encryption (Mail Policies → HAT Overview) and using this new Sender Group in conjunction with the newly created Mail Flow Policy.

IronPort Listener Settings
Figure 2. IronPort Listener Settings
IronPort Mail Flow Policy Security Features
Figure 3. IronPort Mail Flow Policy Security Features

TLS settings for outbound connections have to be configured within the Destination Controls (Mail Policies → Destination Controls). Choose the appropriate SSL certificate within the global settings and configure TLS to be preferred in the default profile to enable it for all outbound connections. After these two steps the Destination Control overview page should look like figure IronPort Destination Control overview on page . To enforce TLS for a specific destination domain, add an entry to the Destination Control Table and set “TLS Support” to “required”.

Destination Control overview
Figure 4. IronPort Destination Control overview

8.7.3. Limitations

All AsyncOS releases prior to version 9.5 use OpenSSL 0.9.8. Therefore TLS 1.2 is not supported in these versions and some of the suggested ciphers won’t work. Starting with AsyncOS 9.5 TLS 1.2 is fully supported. [8] You can check the supported ciphers on the CLI by using the option verify from within the sslconfig command:

[]> verify

Enter the ssl cipher you want to verify.
[]> EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA

DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(256) Mac=SHA1
DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(128) Mac=SHA1
DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
CAMELLIA128-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(128) Mac=SHA1
AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1

8.7.4. How to test

$ openssl s_client -starttls smtp -crlf -connect example.com:25

9. Virtual Private Networks

Virtual Private Networks (VPN) provide means of connecting private networks over external / public transport networks. Since we do not control the transport networks we have to to take care about data integrity and privacy.

Some providers also offer VPNs for connecting company networks via MPLS or simular technologies. The provider promises you that nobody else has access to your data trnfserred over their lines. You have to decide if this promise does fit to your information security requirements.

Basically there are two ways to ensure the privacy and integrity of the data sent via external lines. First you could utilize the built-in security of the Internet Protocol (IPsec). The other way are specific applications that encrypt the data before sending it over the line.

IPsec is an Internet standard (TODO RFC 6071). This guarantees the interoperability between implementations of different vendors. You can establish a secure connection with your customer or your supplier. On the other hand VPN applications mostly utilize TLS to secury the communication between the partners.

TODO: Descision criteria IPsec vs. VPN application.

9.1. IPsec

IPsec is the Internet standard to encrypt the transport of data between private networks.

9.1.1. Technology

We describe only the use the Internet Key Exchange (IKE) version 2 in this dodument. IKEv1 has some usage and security problems and should not be used any more. (TODO: reference).

9.1.2. Authentication

IPsec authentication should optimally be performed via RSA signatures, with a key size of 2048 bits or more. Configuring only the trusted CA that issued the peer certificate provides for additional protection against fake certificates.

If you need to use Pre-Shared Key (PSK) authentication:

  • Choose a random, long enough PSK (see below)

  • Use a separate PSK for any IPsec connection

  • Change the PSKs regularly

  • Think aboute a secure way to exchange the PSK. Sending an SMS it not secure.

The size of the PSK should not be shorter than the output size of the hash algorithm used in IKE.footnote[It is used in a HMAC, see RFC2104  and the discussion starting in TODO: verify http://www.vpnc.org/ietf-ipsec/02.ipsec/msg00268.html.].

For a key composed only of upper- and lowercase letters, numbers, and two additional characters[9], table #tab:IPSEC_psk_len gives the minimum lengths in characters.

Cryptographic Suites:

IPSEC Cryptographic Suites are pre-defined settings for all the items of a configuration; they try to provide a balanced security level and make setting up VPNs easier. [10]

When using any of those suites, make sure to enable “Perfect Forward Secrecy“ for Phase 2, as this is not specified in the suites. The equivalents to the recommended ciphers suites in section Recommended cipher suites are shown in table #tab:IPSEC_suites.

Phase 1:

TODO: Phase 1 and 2 are phrases from IKEv1. Re-write for IKEv2.

Alternatively to the pre-defined cipher suites, you can define your own, as described in this and the next section.

Phase 1 is the mutual authentication and key exchange phase; table #tab:IPSEC_ph1_params shows the parameters.

Use only “main mode“, as “aggressive mode“ has known security vulnerabilities [11].

Phase 2:

Phase 2 is where the parameters that protect the actual data are negotiated; recommended parameters are shown in table #tab:IPSEC_ph2_params.

9.1.3. References

9.2. Check Point Next Generation Firewall

9.2.1. Tested with Versions

Table 9. Tested CheckPoint Versions
Program Version OS/Distribution/Version Comment

R77

Secure Platform

9.2.2. Settings

Please see section IPsec for guidance on parameter choice. In this section, we will configure a strong setup according to Configuration A.

This is based on the concept of a VPN Community, which has all the settings for the gateways that are included in that community. Communities can be found in the IPSEC VPN tab of SmartDashboard.

VPN Community encryption properties

Either choose one of the encryption suites in the properties dialog (figure [checkpoint_1], or proceed to Custom Encryption..., where you can set encryption and hash for Phase 1 and 2 (figure [checkpoint_2].

Custom Encryption Suite Properties

The Diffie-Hellman groups and Perfect Forward Secrecy Settings can be found under Advanced Settings / Advanced VPN Properties (figure [checkpoint_3].

Advanced VPN Properties

9.2.3. Additional settings

For remote Dynamic IP Gateways, the settings are not taken from the community, but set in the Global Properties dialog under Remote Access / VPN Authentication and Encryption. Via the Edit... button, you can configure sets of algorithms that all gateways support (figure [checkpoint_4]).

Remote Access Encryption Properties

Please note that these settings restrict the available algorithms for all gateways, and also influence the VPN client connections.

9.2.4. References

9.3. TLS Based Applications

9.3.1. OpenVPN

9.3.2. Tested with Versions

Table 10. Tested OpenVPN Versions
Program Version OS/Distribution/Version Comment

2.3.10

Ubuntu Xenial 16.04.1 LTS

linked against openssl (libssl.so.1.0.0)

2.3.2

Debian Wheezy (backports)

linked against openssl (libssl.so.1.0.0)

2.2.1

Debian Wheezy

linked against openssl (libssl.so.1.0.0)

2.3.2

Windows

Settings
General

We describe a configuration with certificate-based authentication; see below for details on the easyrsa tool to help you with that.

OpenVPN uses TLS only for authentication and key exchange. The bulk traffic is then encrypted and authenticated with the OpenVPN protocol using those keys.

Note that while the tls-cipher option takes a list of ciphers that is then negotiated as usual with TLS, the cipher and auth options both take a single argument that must match on client and server.

OpenVPN duplexes the tunnel into a data and a control channel. The control channel is a usual TLS connection, the data channel currently uses encrypt-then-mac CBC, see https://github.com/BetterCrypto/Applied-Crypto-Hardening/pull/91#issuecomment-75365286

Server Configuration
Client Configuration

Client and server have to use compatible configurations, otherwise they can’t communicate. The cipher and auth directives have to be identical.

9.3.3. Justification for special settings

OpenVPN 2.3.1 changed the values that the tls-cipher option expects from OpenSSL to IANA cipher names. That means from that version on you will get Deprecated TLS cipher name warnings for the configurations above. You cannot use the selection strings from section Recommended cipher suites directly from 2.3.1 on, which is why we give an explicit cipher list here.

In addition, there is a 256 character limit on configuration file line lengths; that limits the size of cipher suites, so we dropped all ECDHE suites.

The configuration shown above is compatible with all tested versions.

9.3.4. References

9.3.5. Additional settings

Key renegotiation interval

The default for renegotiation of encryption keys is one hour (reneg-sec 3600). If you transfer huge amounts of data over your tunnel, you might consider configuring a shorter interval, or switch to a byte- or packet-based interval (reneg-bytes or reneg-pkts).

Insecure ciphers

Sweet32[12] is an attack on 64-bit block ciphers, such as 3DES and Blowfish in OpenVPN. The following ciphers are affected, and should no longer be used:

  • BF-*

  • DES* (including 3DES variants)

  • RC2-*

The following ciphers are not affected:

  • AES-*

  • CAMELLIA-*

  • SEED-*

According to mitigation section on Sweet32 website[13] users users should change the cipher from the DES or Blowfish to AES (cipher AES-128-CBC). If cipher change is not possible users can mitigate the attack by forcing frequent rekeying (reneg-bytes 64000000).

Fixing “easy-rsa”

When installing an OpenVPN server instance, you are probably using easy-rsa to generate keys and certificates. The file vars in the easyrsa installation directory has a number of settings that should be changed to secure values:

This will enhance the security of the key generation by using RSA keys with a length of 4096 bits, and set a lifetime of one year for the server/client certificates and five years for the CA certificate.

4096 bits is only an example of how to do this with easy-rsa. See also section Keylengths for a discussion on keylengths.

In addition, edit the pkitool script and replace all occurrences of sha1 with sha256, to sign the certificates with SHA256.

9.3.6. Limitations

Note that the ciphersuites shown by openvpn --show-tls are known, but not necessarily supported [14].

Which cipher suite is actually used can be seen in the logs:

Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-CAMELLIA256-SHA, 2048 bit RSA

9.4. PPTP

PPTP is considered insecure, Microsoft recommends to _use a more secure VPN tunnel_[15].

There is a cloud service that cracks the underlying MS-CHAPv2 authentication protocol for the price of USD 200[16], and given the resulting MD4 hash, all PPTP traffic for a user can be decrypted.

9.5. Cisco ASA

The following settings reflect our recommendations as best as possible on the Cisco ASA platform. These are - of course - just settings regarding SSL/TLS (i.e. Cisco AnyConnect) and IPsec. For further security settings regarding this platform the appropriate Cisco guides should be followed.

9.5.1. Tested with Versions

Table 11. Tested Cisco ASA Versions
Program Version OS/Distribution/Version Comment

9.1(3)

X-series model

9.5.2. Settings

crypto ipsec ikev2 ipsec-proposal AES-Fallback
 protocol esp encryption aes-256 aes-192 aes
 protocol esp integrity sha-512 sha-384 sha-256
crypto ipsec ikev2 ipsec-proposal AES-GCM-Fallback
 protocol esp encryption aes-gcm-256 aes-gcm-192 aes-gcm
 protocol esp integrity sha-512 sha-384 sha-256
crypto ipsec ikev2 ipsec-proposal AES128-GCM
 protocol esp encryption aes-gcm
 protocol esp integrity sha-512
crypto ipsec ikev2 ipsec-proposal AES192-GCM
 protocol esp encryption aes-gcm-192
 protocol esp integrity sha-512
crypto ipsec ikev2 ipsec-proposal AES256-GCM
 protocol esp encryption aes-gcm-256
 protocol esp integrity sha-512
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 sa-strength-enforcement
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group14
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256-GCM AES192-GCM AES128-GCM AES-GCM-Fallback AES-Fallback
crypto map Outside-DMZ_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside-DMZ_map interface Outside-DMZ

crypto ikev2 policy 1
 encryption aes-gcm-256
 integrity null
 group 14
 prf sha512 sha384 sha256 sha
 lifetime seconds 86400
crypto ikev2 policy 2
 encryption aes-gcm-256 aes-gcm-192 aes-gcm
 integrity null
 group 14
 prf sha512 sha384 sha256 sha
 lifetime seconds 86400
crypto ikev2 policy 3
 encryption aes-256 aes-192 aes
 integrity sha512 sha384 sha256
 group 14
 prf sha512 sha384 sha256 sha
 lifetime seconds 86400
crypto ikev2 policy 4
 encryption aes-256 aes-192 aes
 integrity sha512 sha384 sha256 sha
 group 14
 prf sha512 sha384 sha256 sha
 lifetime seconds 86400
crypto ikev2 enable Outside-DMZ client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0

ssl server-version tlsv1-only
ssl client-version tlsv1-only
ssl encryption dhe-aes256-sha1 dhe-aes128-sha1 aes256-sha1 aes128-sha1
ssl trust-point ASDM_TrustPoint0 Outside-DMZ

9.5.3. Justification for special settings

New IPsec policies have been defined which do not make use of ciphers that may be cause for concern. Policies have a "Fallback" option to support legacy devices.

3DES has been completely disabled as such Windows XP AnyConnect Clients will no longer be able to connect.

The Cisco ASA platform does not currently support RSA Keys above 2048bits.

Legacy ASA models (e.g. 5505, 5510, 5520, 5540, 5550) do not offer the possibility to configure for SHA256/SHA384/SHA512 nor AES-GCM for IKEv2 proposals.

9.6. Openswan

9.6.1. Tested with Version

Table 12. Tested OpenS/WAN Versions
Program Version OS/Distribution/Version Comment

2.6.39

Gentoo

9.6.2. Settings

The available algorithms depend on your kernel configuration (when using protostack=netkey) and/or build-time options.

To list the supported algorithms

$ ipsec auto --status | less

and look for ’algorithm ESP/IKE’ at the beginning.

aggrmode=no
# ike format: cipher-hash;dhgroup
# recommended ciphers:
# - aes
# recommended hashes:
# - sha2_256 with at least 43 byte PSK
# - sha2_512 with at least 86 byte PSK
# recommended dhgroups:
# - modp2048 = DH14
# - modp3072 = DH15
# - modp4096 = DH16
# - modp6144 = DH17
# - modp8192 = DH18
ike=aes-sha2_256;modp2048
type=tunnel
phase2=esp
# esp format: cipher-hash;dhgroup
# recommended ciphers configuration A:
# - aes_gcm_c-256 = AES_GCM_16
# - aes_ctr-256
# - aes_ccm_c-256 = AES_CCM_16
# - aes-256
# additional ciphers configuration B:
# - camellia-256
# - aes-128
# - camellia-128
# recommended hashes configuration A:
# - sha2-256
# - sha2-384
# - sha2-512
# - null (only with GCM/CCM ciphers)
# additional hashes configuration B:
# - sha1
# recommended dhgroups: same as above
phase2alg=aes_gcm_c-256-sha2_256;modp2048
salifetime=8h
pfs=yes
auto=ignore

9.6.3. How to test

Start the vpn and using

$ ipsec auto --status | less

and look for ’IKE algorithms wanted/found’ and ’ESP algorithms wanted/loaded’.

9.6.4. References

9.7. tinc

9.7.1. Tested with Versions

Table 13. Tested tinc Versions
Program Version OS/Distribution/Version Comment

1.0.23

Gentoo

linked against OpenSSL 1.0.1e

1.0.23

Sabayon

linked against OpenSSL 1.0.1e

Defaults

tinc uses 2048 bit RSA keys, Blowfish-CBC, and SHA1 as default settings and suggests the usage of CBC mode ciphers. Any key length up to 8192 is supported and it does not need to be a power of two. OpenSSL Ciphers and Digests are supported by tinc.

Settings

Generate keys with

$ tincd -n NETNAME -K8192

Old keys will not be deleted (but disabled), you have to delete them manually. Add the following lines to your tinc.conf on all machines

10. PGP/GPG - Pretty Good Privacy

The OpenPGP protocol defines a set of asymmetric- and symmetric encryption algorithms, signature methods and compression protocols. GnuPG, a FOSS implementation of the OpenPGP standard, is widely used for mail encryption.

GnuPG signs a message, encrypts it symmetrically and encrypts the symmetric key and the hash with Bob’s public key asymmetrically.

Research on SHA-1 conducted back in 2005 (see: SHA-1 Broken) as well as the first practical successful collision in early 2017 (see: SHAttered) has made clear that collision attacks are a real threat to the security of the SHA-1 hash function.

Since SHA-1 is defined as a must implementation by the OpenPGP specification, GnuPG is still using it. Currently settings should be adapted to preferably avoid using SHA-1.

When using GnuPG, there are a couple of things to take care of:

Properly dealing with key material, passphrases and the web-of-trust is outside of the scope of this document. The GnuPG website has a good tutorial on GnuPG.

After 31 December 2017 GnuPG version 2.0.x is no longer supported and shall not be used anymore. Use the new long term version 2.1 instead.

10.1. Hashing

Avoid SHA-1 by preferring better hashing methods. GnuPG. Edit $HOME/.gnupg/gpg.conf:

Listing 32. Digest selection in GnuPG
personal-digest-preferences SHA512
cert-digest-algo SHA512
default-preference-list AES256 CAMELLIA256 AES192 CAMELLIA192 AES CAMELLIA128 TWOFISH SHA512 SHA384 SHA256 BZIP2 ZLIB ZIP

10.2. Key Generation

Because of lack of forward secrecy (see: [pfs]) in OpenPGP it is preferable to use large asymmetric keys for long term communication protection. A RSA key of 4096 bits should provide enough confidentiality for the next 10 years (see: Cryptographic Key Length Recommendation).

Listing 33. New key generation with GnuPG version 2.1
$ gpg --batch --full-gen-key $HOME/Desktop/params.txt`
Listing 34. Parameters for key generation with GnuPG version 2.1
Key-Type: RSA
Key-Length: 4096
Subkey-Type: RSA
Subkey-Length: 4096
Name-Real: <your-name>
Name-Email: <your-email-address>
Passphrase: <password>
Expires: 2y
# My preferences: AES256, CAMELLIA256, AES192, CAMELLIA192, AES128, CAMELLIA128, TWOFISH, SHA512, SHA384, SHA256, BZIP2, ZLIB and ZIP
Preferences: S9 S13 S8 S12 S7 S11 S10 H10 H9 H8 Z3 Z2 Z1 (1)
1 The preferences parameters S9 to Z1 correspond to AES256, CAMELLIA256, AES192, CAMELLIA192, AES, CAMELLIA128, TWOFISH, SHA512, SHA384, SHA256, BZIP2, ZLIB and ZIP. The parameters 3DES, SHA-1 and uncompressed are set automatically by GnuPG.

10.3. ECC - Elliptic Curve Cryptography

Since the release of GnuPG version 2.1 end-2014 ECC is supported. Older versions though are still widely used therefore ECC is not yet applicable in practice.

11. IPMI, ILO and other lights out management solutions

Consider creating an unrouted management VLAN and access that only via VPN.

We strongly recommend that any remote management system for servers such as ILO, iDRAC, IPMI based solutions and similar systems never be connected to the public internet.

12. Instant Messaging Systems

12.1. General server configuration recommendations

For servers, we mostly recommend to apply what’s proposed by the Peter’s manifesto.

In short:

  • require the use of TLS for both client-to-server and server-to-server connections

  • prefer or require TLS cipher suites that enable forward secrecy

  • deploy certificates issued by well-known and widely-deployed certification authorities (CAs)

The last point being out-of-scope for this section, we will only cover the first two points.

12.2. ejabberd

12.2.1. Tested with Versions

  • ejabberd 14.12, Debian 7 Wheezy

  • ejabberd 14.12, Ubuntu 14.04 Trusty

  • ejabberd 15.03, Ubuntu 14.04 Trusty

  • ejabberd 16.01, Ubuntu 14.04 Trusty

12.2.2. Settings

ejabberd is one of the popular Jabber servers. In order to be compliant with the manifesto, you should adapt your configuration:

Listing 35. TLS setup for ejabberd
listen:
    -
        port: 5222
        module: ejabberd_c2s
        certfile: "/path/to/ssl.pem"
        starttls: true
        starttls_required: true
        protocol_options:
            - "no_sslv3"
            - "no_tlsv1"
            - "cipher_server_preference"
        max_stanza_size: 65536
        dhfile: "/path/to/dhparams.pem" (1)
        shaper: c2s_shaper
        access: c2s
    -
        port: 5269
        module: ejabberd_s2s_in
s2s_use_starttls: required_trusted
s2s_certfile: "/path/to/ssl.pem"
s2s_dhfile: "/etc/ejabberd/dhparams.pem" # Available from version 15.03
s2s_protocol_options:
    - "no_sslv3"
    - "no_tlsv1"
    - "cipher_server_preference"
1 Available from version 15.06

12.2.3. Additional settings

It is possible to explicitly specify a cipher string for TLS connections.

Listing 36. Specifying a cipher order and enforcing it
listen:
    -
        port: 5222
        module: ejabberd_c2s
        certfile: "/path/to/ssl.pem"
        starttls: true
        starttls_required: true
        protocol_options:
            - "no_sslv3"
            - "no_tlsv1"
         - "cipher_server_preference"
        max_stanza_size: 65536
        dhfile: "/path/to/dhparams.pem"   (1)
        ciphers: "EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA"
    -
        port: 5269
        module: ejabberd_s2s_in
s2s_use_starttls: required_trusted
s2s_certfile: "/path/to/ssl.pem"
s2s_dhfile: "/etc/ejabberd/dhparams.pem"  (2)
s2s_protocol_options:
    - "no_sslv3"
    - "no_tlsv1"
    - "cipher_server_preference"
s2s_ciphers: "EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA"
1 Available from version 15.06
2 Available from version 15.03
Weak Ciphers

Note that we are setting the SSL option cipher_server_preference. This enforces our cipher order when negotiating which ciphers are used, as the cipher order of some clients chooses weak ciphers over stronger ciphers.

Starting with version 15.03[17], it is possible to use custom Diffie-Hellman-Parameters. This allows us to negotiate stronger Diffie-Hellman-keys, and also helps us avoid problems with using common weak Diffie-Hellman-Parameters. You can generate your own parameter file by running:

$ openssl dhparam -out dhparams.pem 4096

By default, ejabberd provides an administration website (look for the ejabberd_http module). Enable TLS protection for it like this:

    port: 5280
    module: ejabberd_http
    web_admin: true
    http_poll: true
    http_bind: true
    captcha: true
    certfile: "/path/to/ssl.pem"
    tls: true

12.2.4. Tested with Versions

  • Debian Wheezy 2.1.10-4+deb7u1

12.2.5. Settings

Older versions of ejabberd use a different configuration file syntax. In order to be compliant with the manifesto, you should adapt your configuration[18] as follows:

{listen,
    [
        {5222, ejabberd_c2s, [
        {access, c2s},
        {shaper, c2s_shaper},
        {max_stanza_size, 65536},
        starttls,
        starttls_required,
        {certfile, "/etc/ejabberd/ejabberd.pem"}
        ]},
    ]}.
{s2s_use_starttls, required_trusted}.
{s2s_certfile, "/etc/ejabberd/ejabberd.pem"}.

12.2.6. Additional settings

Older versions of ejabberd (< 2.0.0) need to be patched to be able to parse all of the certificates in the CA chain. Specifying a custom cipher string is only possible starting with version 13.12 (see configuration for version 14.12 above).

12.2.8. How to test

IM Observatory is a useful website to test Jabber server configurations.

12.3. Chat privacy - Off-the-Record Messaging (OTR)

Off-the-Record Messaging Protocol works on top of the Jabber protocol. It adds to popular chat clients (Adium, Pidgin…​) the following properties for encrypted chats:

  • Authentication

  • Integrity

  • Confidentiality

  • Forward secrecy

It basically uses Diffie-Hellman, AES and SHA1. Communicating over an insecure instant messaging network, OTR can be used for end to end encryption.

There are no specific configurations required but the protocol itself is worth to be mentioned.

12.4. Charybdis

There are numerous implementations of IRC servers. In this section, we choose Charybdis which serves as basis for ircd-seven, developed and used by freenode. Freenode is actually the biggest IRC network[19]. Charybdis is part of the Debian & Ubuntu distributions.

Listing 37. SSL relevant configuration for Charybdis/ircd-seven
/* Extensions */
#loadmodule "extensions/chm_sslonly_compat.so";
loadmodule "extensions/extb_ssl.so";
serverinfo {
    ssl_private_key = "etc/test.key";
    ssl_cert = "etc/test.cert";
    ssl_dh_params = "etc/dh.pem";
    # set ssld_count as number of cores - 1
    ssld_count = 1;
};
listen {
    sslport = 6697;
};

12.5. SILC

SILC is instant messaging protocol publicly released in 2000. SILC is a per-default secure chat protocol thanks to a generalized usage of symmetric encryption. Keys are generated by the server meaning that if compromised, communication could be compromised.

The protocol is not really popular anymore.

13. Databases

13.1. Oracle

No information available / known.

13.2. MySQL

13.2.1. Tested with Versions

  • MySQL 5.5 on Debian Wheezy

  • MySQL 5.7.20 on Ubuntu 16.04.3

13.2.2. Settings

13.2.3. References

13.2.4. How to test

After restarting the server run the following query to see if the ssl settings are correct:

show variables like '%ssl%';

13.3. DB2

13.3.1. Tested with Version

We do not test this here, since we only reference other papers for DB2 so far.

13.3.2. Settings

ssl_cipherspecs:

In the link above the whole SSL-configuration is described in-depth. The following command shows only how to set the recommended ciphersuites.

Listing 38. Recommended and supported ciphersuites
db2 update dbm cfg using SSL_CIPHERSPECS
TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_128_GCM_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

13.3.3. References

13.4. PostgreSQL

13.4.1. Tested with Versions

  • Debian Wheezy and PostgreSQL 9.1

  • Linux Mint 14 nadia / Ubuntu 12.10 quantal with PostgreSQL 9.1+136 and OpenSSL 1.0.1c

13.4.2. Settings

To start in SSL mode the server.crt and server.key must exist in the servers data directory $PGDATA.

Starting with version 9.2, you have the possibility to set the path manually.

13.4.3. References

It’s recommended to read Security and Authentication in the manual.

PostgreSQL Documentation on Secure TCP/IP Connections with SSL.

PostgreSQL Documentation on Client Authentication.

13.4.4. How to test

To test your ssl settings, run psql with the sslmode parameter:

$ psql "sslmode=require host=postgres-server dbname=database" your-username

14. Proxy Solutions

Within enterprise networks and corporations with increased levels of paranoia or at least some defined security requirements it is common not to allow direct connections to the public internet.

For this reason proxy solutions are deployed on corporate networks to intercept and scan the traffic for potential threats within sessions.

For encrypted traffic there are four options:

  • Block the connection because it cannot be scanned for threats.

  • Bypass the threat-mitigation and pass the encrypted session to the client, which results in a situation where malicious content is transferred directly to the client without visibility to the security system.

  • Intercept (i.e. terminate) the session at the proxy, scan there and re-encrypt the session towards the client (effectively MITM).

  • Deploy special Certificate Authorities to enable Deep Packet Inspection on the wire.

While the latest solution might be the most "up to date", it arises a new front in the context of this paper, because the most secure part of a client’s connection could only be within the corporate network, if the proxy-server handles the connection to the destination server in an insecure manner.

Conclusion: Don’t forget to check your proxy solutions SSL-capabilities. Also do so for your reverse proxies!

14.1. Bluecoat / Symantec

Blue Coat Systems was a well-known manufacturer of enterprise proxy appliances. In 2016 it was acquired by Symantec. The products are now known as Symantec ProxySG and Advanced Secure Gateway (ASG).

The description below is for the original Blue Coat SG Operating System (SGOS).

BlueCoat Proxy SG Appliances can be used as forward and reverse proxies. The reverse proxy feature is rather under-developed, and while it is possible and supported, there only seems to be limited use of this feature "in the wild" - nonetheless there are a few cipher suites to choose from, when enabling SSL features.

14.1.1. Tested with Versions

Proxy Appliance SGOS 6.5.x Blue Coat, now Symantec

14.1.2. Only allow TLS 1.0,1.1 and 1.2 protocols:

$conf t
$(config)ssl
$(config ssl)edit ssl-device-profile default
$(config device-profile default)protocol tlsv1 tlsv1.1 tlsv1.2
  ok

14.1.3. Select your accepted cipher-suites:

$conf t
Enter configuration commands, one per line.  End with CTRL-Z.
$(config)proxy-services
$(config proxy-services)edit ReverseProxyHighCipher
$(config ReverseProxyHighCipher)attribute cipher-suite
Cipher#  Use        Description        Strength
-------  ---  -----------------------  --------
      1  yes            AES128-SHA256      High
      2  yes            AES256-SHA256      High
      3  yes               AES128-SHA    Medium
      4  yes               AES256-SHA      High
      5  yes       DHE-RSA-AES128-SHA      High
      6  yes       DHE-RSA-AES256-SHA      High
               [...]
     13  yes          EXP-RC2-CBC-MD5    Export

Select cipher numbers to use, separated by commas: 2,5,6
  ok

The same protocols are available for forward proxy settings and should be adjusted accordingly: In your local policy file add the following section:

<ssl>
    DENY server.connection.negotiated_ssl_version=(SSLV2, SSLV3)

Disabling protocols and ciphers in a forward proxy environment could lead to unexpected results on certain (misconfigured?) webservers (i.e. ones accepting only SSLv2/3 protocol connections)

14.2. HAProxy

HAProxy can be used as loadbalancer and proxy for TCP and HTTP-based applications. Since version 1.5 it supports SSL and IPv6.

14.2.1. Tested with Versions

HAProxy 1.5.11 with OpenSSL 1.0.1e on Debian Wheezy

14.2.2. Settings

Listing 39. global configuration
global
    ssl-default-bind-ciphers EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
    ssl-default-bind-options no-sslv3 no-tls-tickets #disable SSLv3
    tune.ssl.default-dh-param 2048 #tune DH to 2048
Listing 40. frontend configuration
frontend public
    bind *:80
    bind *:443 ssl crt server.pem
    mode http
    redirect scheme https code 301 if !{ ssl_fc } # redirect HTTP to HTTPS
Listing 41. backend configuration
backend backend
    mode http
    server server 192.168.1.1:80 check
    http-request set-header X-Forwarded-Port %[dst_port]
    http-request add-header X-Forwarded-Proto https if { ssl_fc }
    rspadd Strict-Transport-Security:\ max-age=15768000;\ includeSubDomains #enable HSTS header for this backend

14.2.3. Additional Settings

14.2.4. Enable NPN Support:

    bind *:443 ssl crt server.pem npn "http/1.1,http/1.0"

Append the npn command in the frontend configuration of HAProxy.

14.2.5. Enable OCSP stapling:

HAProxy supports since version 1.5.0 OCSP stapling. To enable it you have to generate the OCSP singing file in the same folder, with the same name as your certificate file plus the extension .ocsp. (e.g. your certificate file is named server.crt then the OCSP file have to be named server.crt.oscp)
To generate the OCSP file use these commands:

$ openssl x509 -in your.certificate.crt -noout -ocsp_uri # <- get your ocsp uri
$ openssl ocsp -noverify -issuer ca.root.cert.crt -cert your.certificate.crt -url "YOUR OCSP URI" -respout your.certificate.crt.ocsp

Reload HAProxy and now OCSP stapling should be enabled.
Note: This OCSP signature file is only valid for a limited time. The simplest way of updating this file is by using cron.daily or something similar.

14.2.6. Enable HPKP:

Get certificate informations:

$ openssl x509 -in server.crt -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | base64

Then you append the returned string in the HAProxy configuration. Add the following line to the backend configuration:

rspadd Public-Key-Pins:\ pin-sha256="YOUR_KEY";\ max-age=15768000;\ includeSubDomains

Reload HAProxy and HPKP should now be enabled.
Note: Keep in mind to generate a backup key in case of problems with your primary key file.

14.2.7. How to test

See appendix Tools

14.3. Pound

14.3.1. Tested with Versions

Pound 2.6

14.3.2. Settings

Listing 42. HTTPS Listener in Pound
# HTTP Listener, redirects to HTTPS
ListenHTTP
    Address 10.10.0.10
    Port    80
    Service
        Redirect "https://some.site.tld"
    End
End
## HTTPS Listener
ListenHTTPS
    Address      10.10.0.10
    Port         443
    AddHeader    "Front-End-Https: on"
    Cert         "/path/to/your/cert.pem"
    ## See 'man ciphers'.
    Ciphers      "TLSv1.2:TLSv1.1:!SSLv3:!SSLv2:EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA"
    Service
        BackEnd
            Address 10.20.0.10
            Port 80
        End
    End
End

14.4. stunnel

14.4.1. Tested with Versions

  • stunnel 4.53-1.1ubuntu1 on Ubuntu 14.04 Trusty with OpenSSL 1.0.1f, without disabling Secure Client-Initiated Renegotiation

  • stunnel 5.02-1 on Ubuntu 14.04 Trusty with OpenSSL 1.0.1f

  • stunnel 4.53-1.1 on Debian Wheezy with OpenSSL 1.0.1e, without disabling Secure Client-Initiated Renegotiation

14.4.2. Settings

Listing 43. HTTPS Listener in stunnel
ciphers = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA

curve = secp384r1
options = NO_SSLv2
options = NO_SSLv3
options = cipher_server_preference
; Secure Client-Initiated Renegotiation can only be disabled wit stunnel >= 4.54
;renegotiation = no

14.4.3. Additional information

Secure Client-Initiated Renegotiation can only be disabled for stunnel versions >= 4.54, when the renegotiation parameter has been added (See changelog).

14.4.4. References

14.4.5. How to test

See appendix Tools

15. Kerberos

This section discusses various implementations of the Kerberos 5 authentication protocol on Unix and Unix-like systems as well as on Microsoft Windows.

15.1. Overview

Kerberos provides mutual authentication of two communicating parties, e.g. a user using a network service. The authentication process is mediated by a trusted third party, the Kerberos key distribution centre (KDC). Kerberos implements secure single-sign-on across a large number of network protocols and operating systems. Optionally, Kerberos can be used to create encrypted communications channels between the user and service.

An understanding of the Kerberos protocol is necessary for properly implementing a Kerberos setup. Also, in the following section some knowledge about the inner workings of Kerberos is assumed. Therefore we strongly recommend reading the excellent introduction Kerberos: An Authentication Service for Computer Networks first.

No further overview over Kerberos terminology and functions will be provided, for a discussion and a selection of relevant papers refer to Kerberos Papers and Documentation.

The Kerberos protocol over time has been extended with a variety of extensions and Kerberos implementations provide additional services in addition to the aforementioned KDC. All discussed implementations provide support for trust relations between multiple realms, an administrative network service (kerberos-adm, kadmind) as well as a password changing service (kpasswd). Sometimes, alternative database backends for ticket storage, X.509 and SmartCard authentication are provided. Of those, only administrative and password changing services will be discussed.

Protocol versions

Only the Kerberos 5 protocol and implementation will be discussed. Kerberos 4 is obsolete, insecure and its use is strongly discouraged.

15.1.2. Providing a suitable Setup for secure Kerberos Operations

The aim of Kerberos is to unify authentication across a wide range of services, for many different users and use cases and on many computer platforms. The resulting complexity and attack surface make it necessary to carefully plan and continuously evaluate the security of the overall ecosystem in which Kerberos is deployed. Several assumptions are made on which the security of a Kerberos infrastructure relies:

  • Every KDC in a realm needs to be trustworthy. The KDC’s principal database must not become known to or changed by an attacker. The contents of the principal database enables the attacker to impersonate any user or service in the realm.

  • Synchronisation between KDCs must be secure, reliable and frequent. An attacker that is able to intercept or influence synchronisation messages obtains or influences parts of the principal database, enabling impersonation of affected principals. Unreliable or infrequent synchronisation enlarges the window of vulnerability after disabling principals or changing passwords that have been compromised or lost.

  • KDCs must be available. An attacker is able to inhibit authentication for services and users by cutting off their access to a KDC.

  • Users’ passwords must be secure. Since Kerberos is a single-sign-on mechanism, a single password may enable an attacker to access a large number of services.

  • Service keytabs need to be secured against unauthorized access similarly to SSL/TLS server certificates. Obtaining a service keytab enables an attacker to impersonate a service.

  • DNS infrastructure must be secure and reliable. Hosts that provide services need consistent forward and reverse DNS entries. The identity of a service is tied to its DNS name, similarly the realm a client belongs to as well as the KDC, kpasswd and kerberos-adm servers may be specified in DNS TXT and SRV records. Spoofed DNS entries will cause denial-of-service situations and might endanger (i_mit_Realm configuration decisions_, 2013) the security of a Kerberos realm.

  • Clients and servers in Kerberos realms need to have synchronized clocks. Tickets in Kerberos are created with a limited, strictly enforced lifetime. This limits an attacker’s window of opportunity for various attacks such as the decryption of tickets in sniffed network traffic or the use of tickets read from a client computer’s memory. Kerberos will refuse tickets with old timestamps or timestamps in the future. This would enable an attacker with access to a systems clock to deny access to a service or all users logging in from a specific host.

Therefore we suggest:

  • Secure all KDCs at least as strongly as the most secure service in the realm.

  • Dedicate physical (i.e. non-VM) machines to be KDCs. Do not run any services on those machines beyond the necessary KDC, kerberos-adm, kpasswd and kprop services.

  • Restrict physical and administrative access to the KDCs as severely as possible. E.g. ssh access should be limited to responsible adminstrators and trusted networks.

  • Encrypt and secure the KDCs backups.

  • Replicate your primary KDC to at least one secondary KDC.

  • Prefer easy-to-secure replication (propagation in Kerberos terms) methods.Especially avoid LDAP replication and database backends. LDAP enlarges the attack surface of your KDC and facilitates unauthorized access to the principal database e.g. by ACL misconfiguration.

  • Use DNSSEC. If that is not possible, at least ensure that all servers and clients in a realm use a trustworthy DNS server contacted via secure network links.

  • Use NTP on a trustworthy server via secure network links.

  • Avoid services that require the user to enter a password which is then checked against Kerberos. Prefer services that are able to use authentication via service tickets, usually not requiring the user to enter a password except for the initial computer login to obtain a ticket-granting-ticket (TGT). This limits the ability of attackers to spy out passwords through compromised services.

15.2. Implementations

15.2.1. Cryptographic Algorithms in Kerberos Implementations

The encryption algorithms (commonly abbreviated ’etypes’ or ’enctypes’) in Kerberos exchanges are subject to negotiation between both sides of an exchange. Similarly, a ticket granting ticket (TGT), which is usually obtained on initial login, can only be issued if the principal contains a version of the password encrypted with an etype that is available both on the KDC and on the client where the login happens.

Therefore, to ensure interoperability among components using different implementations as shown in Commonly supported Kerberos encryption types by implementation. Algorithm names, a selection of available etypes is necessary. However, the negotiation process may be subject to downgrade attacks and weak hashing algorithms endanger integrity protection and password security.

This means that the des3-cbc-sha1-kd or rc4-hmac algorithms should not be used, except if there is a concrete and unavoidable need to do so. Other des3-*, des-* and rc4-hmac-exp algorithms should never be used.

Along the lines of cipher string B, the following etypes are recommended: aes256-cts-hmac-sha1-96 camellia256-cts-cmac aes128-cts-hmac-sha1-96 camellia128-cts-cmac.

Commonly supported Kerberos encryption types by implementation. Algorithm names

according to RFC3961, except where aliases can be used or the algorithm is named differently altogether as stated (Raeburn, 2005)

ID Algorithm MIT Heimdal GNU Shishi MS ActiveDirectory

1

des-cbc-crc

yes

yes

yes

yes

2

des-cbc-md4

yes

yes

yes

no

3

des-cbc-md5

yes

yes

yes

yes

6

des3-cbc-none

no

yes

yes

no

7

des3-cbc-sha1

no

yes[20]

no

no

16

des3-cbc-sha1-kd

yes[21]

yesfoonote:[named des3-cbc-sha1]

yes

no

17

aes128-cts-hmac-sha1-96

yes

yes

yes

yesfoonote:[since Vista, Server 2008]

18

aes256-cts-hmac-sha1-96

yes

yes

yes

yes[22]

23

rc4-hmac

yes

yes

yes

yes

24

rc4-hmac-exp

yes

no

yes

yes

25

camellia128-cts-cmac

yes[23]

no

no

no

26

camellia256-cts-cmac

yes[24]

no

no

no

15.2.2. Existing installations

The configuration samples below assume new installations without preexisting principals.

For existing installations:

  • Existing setups should be migrated to a new master key if the current master key is using a weak enctype.

  • When changing the list of supported_enctypes, principals where all enctypes are no longer supported will cease to work.

  • Be aware that Kerberos 4 is obsolete and should not be used.

  • Principals with weak enctypes pose an increased risk for password bruteforce attacks if an attacker gains access to the database.

To get rid of principals with unsupported or weak enctypes, a password change is usually the easiest way. Service principals can simply be recreated.

15.2.3. MIT krb5

KDC configuration

In /etc/krb5kdc/kdc.conf set the following in your realm’s configuration:

Listing 44. Encryption flags for MIT krb5 KDC
supported_enctypes = aes256-cts-hmac-sha1-96:normal camellia256-cts-cmac:normal aes128-cts-hmac-sha1-96:normal camellia128-cts-cmac:normal
default_principal_flags = +preauth

In /etc/krb5.conf set in the [libdefaults] section:

Listing 45. Encryption flags for MIT krb5 client
[libdefaults]
allow_weak_crypto = false
permitted_enctypes= aes256-cts-hmac-sha1-96 camellia256-cts-cmac aes128-cts-hmac -sha1-96 camellia128-cts-cmac
default_tkt_enctypes= aes256-cts-hmac-sha1-96 camellia256-cts-cmac aes128-cts-hmac-sha1-96 camellia128-cts-cmac
default_tgs_enctypes= aes256-cts-hmac-sha1-96 camellia256-cts-cmac aes128-cts-hmac-sha1-96 camellia128-cts-cmac
Upgrading a MIT krb5 database to a new enctype

To check if an upgrade is necessary, execute the following on the KDC in question:

root@kdc.example.com:~# kdb5_util list_mkeys
Master keys for Principal: K/M@EXAMPLE.COM
KVNO: 1, Enctype: des-cbc-crc, Active on: Thu Jan 01 00:00:00 UTC 1970 * (1)
1 In this case, an old unsafe enctype is in use as indicated by the star following the key line.

To upgrade, proceed as follows. First create a new master key for the database with the appropriate enctype. You will be prompted for a master password that can later be used to decrypt the database. A stash-file containing this encryption key will also be written.

root@kdc.example.com:~# kdb5_util add_mkey -s -e aes256-cts-hmac-sha1-96
Creating new master key for master key principal 'K/M@EXAMPLE.COM'
You will be prompted for a new database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:

Verify that the new master key has been successfully created. Note the key version number (KVNO) of the new master key, in this case 2.

root@kdc.example.com:~# kdb5_util list_mkeys
Master keys for Principal: K/M@EXAMPLE.COM
KVNO: 2, Enctype: aes256-cts-hmac-sha1-96, No activate time set
KVNO: 1, Enctype: des-cbc-crc, Active on: Thu Jan 01 00:00:00 UTC 1970 *

Set the new master key as the active master key by giving its KVNO. The active master key will be indicated by an asterisk in the master key list.

root@kdc.example.com:~# kdb5_util use_mkey 2
root@kdc.example.com:~# kdb5_util list_mkeys
Master keys for Principal: K/M@EXAMPLE.COM
KVNO: 2, Enctype: aes256-cts-hmac-sha1-96, Active on: Wed May 13 14:14:18 UTC 2015 *
KVNO: 1, Enctype: des-cbc-crc, Active on: Thu Jan 01 00:00:00 UTC 1970

Reencrypt all principals to the new master key.

root@kdc.example.com:~# kdb5_util update_princ_encryption
Re-encrypt all keys not using master key vno 2?
(type 'yes' to confirm)? yes
504 principals processed: 504 updated, 0 already current

After verifying that everything still works as desired it is possible to remove unused master keys.

root@kdc.example.com:~# kdb5_util purge_mkeys
Will purge all unused master keys stored in the 'K/M@EXAMPLE.COM' principal, are you sure?
(type 'yes' to confirm)? yes
OK, purging unused master keys from 'K/M@EXAMPLE.COM'...
Purging the following master key(s) from K/M@EXAMPLE.COM:
KVNO: 1
1 key(s) purged.

III: Theory

16. Overview

Number theorists are like lotus-eaters - having tasted this food they can never give it up.

— Leopold Kronecker

This chapter provides the necessary background information on why chapter [practicalsettings] recommended cipher string B.

We start off by explaining the structure of cipher strings in section [architecture] (architecture) and define PFS in [pfs]. Next we present Cipher String A and Cipher String B in section Recommended cipher suites.

This concludes the section on cipher strings. In theory, the reader should now be able to construct his or her own cipher string. However, the question why certain settings were chosen still remains. To answer this part, we need to look at recommended keylengths, problems in specific algorithms and hash functions and other cryptographic parameters. As mentioned initially in section [relatedPublications], the ENISA (ENISA and Vincent Rijmen, Nigel P. Smart, Bogdan warinschi, Gaven Watson, 2013), ECRYPT 2 (II & SYM, 2012) and BSI (für Sicherheit in der Informationstechnik (BSI), 2018) reports go much more into these topics and should be consulted in addition.

We try to answer the questions by explaining issues with random number generators (section Random Number Generators), keylengths (section Keylengths), current issues in ECC (section A note on Elliptic Curve Cryptography), a note of warning on SHA-1 (section A note on SHA-1) and some comments on Diffie Hellman key exchanges (section A note on Diffie Hellman Key Exchanges). All of this is important in understanding why certain choices were made for Cipher String A and B. However, for most system administrators, the question of compatibility is one of the most pressing ones. Having the freedom to be compatible with any client (even running on outdated operating systems) of course, reduces the security of our cipher strings. We address these topics in section TODO. All these sections will allow a system administrator to balance his or her needs for strong encryption with usability and compatibility.

Last but not least, we finish this chapter by talking about issues in PKIs (section Public Key Infrastructures), Certificate Authorities and on hardening a PKI. Note that these last few topics deserve a book on their own. Hence this guide can only mention a few current topics in this area.

17. Cipher suites

17.1. Architectural overview

This section defines some terms which will be used throughout this guide.

A cipher suite is a standardized collection of key exchange algorithms, encryption algorithms (ciphers) and Message authentication codes (MAC) algorithm that provides authenticated encryption schemes. It consists of the following components:

Key exchange protocol

"An (interactive) key exchange protocol is a method whereby parties who do not share any secret information can generate a shared, secret key by communicating over a public channel. The main property guaranteed here is that an eavesdropping adversary who sees all the messages sent over the communication line does not learn anything about the resulting secret key." (Katz & Lindell, 2008)
Example: DHE

Authentication

The client authenticates the server by its certificate. Optionally the server may authenticate the client certificate.
Example: RSA

Cipher

The cipher is used to encrypt the message stream. It also contains the key size and mode used by the suite.
Example: AES256

Message authentication code (MAC)

A MAC ensures that the message has not been tampered with (integrity).
Example: SHA256

Authenticated Encryption with Associated Data (AEAD)

AEAD is a class of authenticated encryption block-cipher modes which take care of encryption as well as authentication (e.g. GCM, CCM mode).
Example: AES256-GCM

Listing 46. Composition of a typical cipher string
+-----+  +-----+  +--------+  +--------+
| DHE +--+ RSA +--+ AES256 +--+ SHA256 +
+-----+  +-----+  +--------+  +--------+
A note on nomenclature

There are two common naming schemes for cipher strings – IANA names (see appendix Links) and the more well known OpenSSL names. In this document we will always use OpenSSL names unless a specific service uses IANA names.

17.2. Forward Secrecy

Forward Secrecy or Perfect Forward Secrecy is a property of a cipher suite that ensures confidentiality even if the server key has been compromised. Thus if traffic has been recorded it can not be decrypted even if an adversary has got hold of the server key.

18. Recommended cipher suites

In principle system administrators who want to improve their communication security have to make a difficult decision between effectively locking out some users and keeping high cipher suite security while supporting as many users as possible. The web-site Qualys SSL Labs gives administrators and security engineers a tool to test their setup and compare compatibility with clients. The authors made use of ssllabs.com to arrive at a set of cipher suites which we will recommend throughout this document.

Caution

these settings can only represent a subjective choice of the authors at the time of writing. It might be a wise choice to select your own and review cipher suites based on the instructions in section [ChoosingYourOwnCipherSuites].

18.1. Configuration A: Strong ciphers, fewer clients

At the time of writing, our recommendation is to use the following set of strong cipher suites which may be useful in an environment where one does not depend on many, different clients and where compatibility is not a big issue. An example of such an environment might be machine-to-machine communication or corporate deployments where software that is to be used can be defined without restrictions.

We arrived at this set of cipher suites by selecting:

  • TLS 1.2

  • Perfect forward secrecy / ephemeral Diffie Hellman

  • strong MACs (SHA-2) or

  • GCM as Authenticated Encryption scheme

This results in the OpenSSL string: EDH+aRSA+AES256:EECDH+aRSA+AES256:!SSLv3

Table 14. Configuration A ciphers
ID OpenSSL Name Version KeyEx Auth Cipher MAC

0x009F

DHE-RSA-AES256-GCM-SHA384

TLSv1.2

DH

RSA

AESGCM(256)

AEAD

0x006B

DHE-RSA-AES256-SHA256

TLSv1.2

DH

RSA

AES(256) (CBC)

SHA256

0xC030

ECDHE-RSA-AES256-GCM-SHA384

TLSv1.2

ECDH

RSA

AESGCM(256)

AEAD

0xC028

ECDHE-RSA-AES256-SHA384

TLSv1.2

ECDH

RSA

AES(256) (CBC)

SHA384

Compatibility

At the time of this writing only Win 7 and Win 8.1 crypto stack, OpenSSL >= 1.0.1e, Safari 6 / iOS 6.0.1 and Safari 7 / OS X 10.9 are covered by that cipher string.

18.2. Configuration B: Weaker ciphers but better compatibility

In this section we propose a slightly weaker set of cipher suites. For example, there are known weaknesses for the SHA-1 hash function that is included in this set. The advantage of this set of cipher suites is not only better compatibility with a broad range of clients, but also less computational workload on the provisioning hardware.

All examples in this publication use Configuration B.

We arrived at this set of cipher suites by selecting:

  • TLS 1.2, TLS 1.1, TLS 1.0

  • allowing SHA-1 (see the comments on SHA-1 in section [SHA])

This results in the OpenSSL string:

'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA'

Table 15. Configuration B ciphers
ID OpenSSL Name Version KeyEx Auth Cipher MAC

0x009F

DHE-RSA-AES256-GCM-SHA384

TLSv1.2

DH

RSA

AESGCM(256)

AEAD

0x006B

DHE-RSA-AES256-SHA256

TLSv1.2

DH

RSA

AES(256)

SHA256

0xC030

ECDHE-RSA-AES256-GCM-SHA384

TLSv1.2

ECDH

RSA

AESGCM(256)

AEAD

0xC028

ECDHE-RSA-AES256-SHA384

TLSv1.2

ECDH

RSA

AES(256)

SHA384

0x009E

DHE-RSA-AES128-GCM-SHA256

TLSv1.2

DH

RSA

AESGCM(128)

AEAD

0x0067

DHE-RSA-AES128-SHA256

TLSv1.2

DH

RSA

AES(128)

SHA256

0xC02F

ECDHE-RSA-AES128-GCM-SHA256

TLSv1.2

ECDH

RSA

AESGCM(128)

AEAD

0xC027

ECDHE-RSA-AES128-SHA256

TLSv1.2

ECDH

RSA

AES(128)

SHA256

0x0088

DHE-RSA-CAMELLIA256-SHA

SSLv3

DH

RSA

Camellia(256)

SHA1

0x0039

DHE-RSA-AES256-SHA

SSLv3

DH

RSA

AES(256)

SHA1

0xC014

ECDHE-RSA-AES256-SHA

SSLv3

ECDH

RSA

AES(256)

SHA1

0x0045

DHE-RSA-CAMELLIA128-SHA

SSLv3

DH

RSA

Camellia(128)

SHA1

0x0033

DHE-RSA-AES128-SHA

SSLv3

DH

RSA

AES(128)

SHA1

0xC013

ECDHE-RSA-AES128-SHA

SSLv3

ECDH

RSA

AES(128)

SHA1

0x0084

CAMELLIA256-SHA

SSLv3

RSA

RSA

Camellia(256)

SHA1

0x0035

AES256-SHA

SSLv3

RSA

RSA

AES(256)

SHA1

0x0041

CAMELLIA128-SHA

SSLv3

RSA

RSA

Camellia(128)

SHA1

0x002F

AES128-SHA

SSLv3

RSA

RSA

AES(128)

SHA1

Compatibility

Note that these cipher suites will not work with Windows XP’s crypto stack (e.g. IE, Outlook),

Explanation

For a detailed explanation of the cipher suites chosen, please see [ChoosingYourOwnCipherSuites]. In short, finding a single perfect cipher string is practically impossible and there must be a tradeoff between compatibility and security. On the one hand there are mandatory and optional ciphers defined in a few RFCs, on the other hand there are clients and servers only implementing subsets of the specification.

Straightforwardly, the authors wanted strong ciphers, forward secrecy [25] and the best client compatibility possible while still ensuring a cipher string that can be used on legacy installations (e.g. OpenSSL 0.9.8).

Our recommended cipher strings are meant to be used via copy and paste and need to work "out of the box".

  • TLSv1.2 is preferred over TLSv1.0 (while still providing a useable cipher string for TLSv1.0 servers).

  • AES256 and CAMELLIA256 count as very strong ciphers at the moment.

  • AES128 and CAMELLIA128 count as strong ciphers at the moment

  • DHE or ECDHE for forward secrecy

  • RSA as this will fit most of today’s setups

  • AES256-SHA as a last resort: with this cipher at the end, even server systems with very old OpenSSL versions will work out of the box (version 0.9.8 for example does not provide support for ECC and TLSv1.1 or above). Note however that this cipher suite will not provide forward secrecy. It is meant to provide the same client coverage(eg. support Microsoft crypto libraries) on legacy setups.

18.3. Compatibility

TODO

Write this section. The idea here is to first document which server (and openssl) version we assumed. Once these parameters are fixed, we then list all clients which are supported for Variant A) and B). Therefore we can document compatibilities to some extent. The sysadmin can then choose roughly what he looses or gains by omitting certain cipher suites.

19. Random Number Generators

A real fair random number generator

(Image license: CC-BY-NC)

A good source of random numbers is essential for many crypto operations. The key feature of a good random number generator is the non-predictability of the generated numbers. This means that hardware support for generating entropy is essential.

Hardware random number generators in operating systems or standalone components collect entropy from various random events mostly by using the (low bits of the) time an event occurs as an entropy source. The entropy is merged into an entropy pool and in some implementations there is some bookkeeping about the number of random bits available.

19.1. When Random Number Generators Fail

Random number generators can fail – returning predictable non-random numbers – if not enough entropy is available when random numbers should be generated.

This typically occurs for embedded devices and virtual machines. Embedded devices lack some entropy sources other devices have, e.g.:

  • No persistent clock, so boot-time is not contributing to the initial RNG state.

  • No hard-disk: No entropy from hard-disk timing, no way to store entropy between reboots.

Virtual machines emulate some hardware components so that the generated entropy is over-estimated. The most critical component that has been shown to return wrong results is an emulated environment is the timing source (Engblom, 2011).

Typically the most vulnerable time where low-entropy situations occur is shortly after a reboot. Unfortunately many operating system installers create cryptographic keys shortly after a reboot (Heninger, Durumeric, Wustrow, & Halderman, 2012).

Another problem is that OpenSSL seeds its internal random generator only seldomly from the hardware random number generator of the operating system. This can lead to situations where a daemon that is started at a time when entropy is low keeps this low-entropy situation for hours leading to predictable session keys (Heninger, Durumeric, Wustrow, & Halderman, 2012).

For systems where – during the lifetime of the keys – it is expected that low-entropy situations occur, RSA keys should be preferred over DSA keys: For DSA, if there is ever insufficient entropy at the time keys are used for signing this may lead to repeated ephemeral keys. An attacker who can guess an ephemeral private key used in such a signature can compromise the DSA secret key. For RSA this can lead to discovery of encrypted plaintext or forged signatures but not to the compromise of the secret key (Heninger, Durumeric, Wustrow, & Halderman, 2012).

20. Keylengths

On the choice between AES256 and AES128: I would never consider
using AES256, just like I don't wear a helmet when I sit inside my car. It's
too much bother for the epsilon improvement in security.

Recommendations on keylengths need to be adapted regularly. Since this document first of all is static and second of all, does not consider itself to be authoritative on keylengths, we would rather refer to existing publications and websites. Recommending a safe key length is a hit-and-miss issue.

Furthermore, when choosing an encryption algorithm and key length, the designer/sysadmin always needs to consider the value of the information and how long it must be protected. In other words: consider the number of years the data needs to stay confidential.

The ECRYPT II publication gives a fascinating overview of strengths of symmetric keys in chapter 5 and chapter 7. Summarizing ECRYPT II, we recommend 128 bit of key strength for symmetric keys. In ECRYPT II, this is considered safe for security level 7, long term protection.

In the same ECRYPT II publication you can find a practical comparison of key size equivalence between symmetric key sizes and RSA, discrete log (DLOG) and EC keylengths. ECRYPT II arrives at the interesting conclusion that for an equivalence of 128 bit symmetric size, you will need to use an 3248 bit RSA key (II & SYM, 2012).

There are a couple of other studies comparing keylengths and their respective strengths. The website https://www.keylength.com/ compares these papers and offers a good overview of approximations for key lengths based on recommendations by different standardization bodies and academic publications. Figure #fig:keylengths.com[1] shows a typical comparison of keylengths on this web site.

Screenshot for 128 bit symmetric key size equivalents

20.1. Summary

For asymmetric public-key cryptography we consider any key length below 3248 bits to be deprecated at the time of this writing (for long term protection).

For elliptic curve cryptography we consider key lengths below 256 bits to be inadequate for long term protection.

For symmetric algorithms we consider anything below 128 bits to be inadequate for long term protection.

20.2. Special remark on 3DES:

We want to note that 3DES theoretically has 168 bits of security, however based on the NIST Special Publication 800-57 [26].

Due to several security problems the effective key length should be considered 80 bits. The NIST recommends not to use 3DES any more and to migrate to AES as soon as possible.

21. A note on Elliptic Curve Cryptography

Everyone knows what a curve is, until he has studied enough
mathematics to become confused through the countless number
of possible exceptions.

Elliptic Curve Cryptography (simply called ECC from now on) is a branch of cryptography that emerged in the mid-1980s. The security of the RSA algorithm is based on the assumption that factoring large numbers is infeasible. Likewise, the security of ECC, DH and DSA is based on the discrete logarithm problem (i_wikipedia_Discrete logarithm_, 2013). Finding the discrete logarithm of an elliptic curve from its public base point is thought to be infeasible. This is known as the Elliptic Curve Discrete Logarithm Problem (ECDLP). ECC and the underlying mathematical foundation are not easy to understand - luckily, there have been some great introductions on the topic. [27] [28] [29].

ECC provides for much stronger security with less computationally expensive operations in comparison to traditional asymmetric algorithms (See the Section Keylengths). The security of ECC relies on the elliptic curves and curve points chosen as parameters for the algorithm in question. Well before the NSA-leak scandal, there has been a lot of discussion regarding these parameters and their potential subversion. A part of the discussion involved recommended sets of curves and curve points chosen by different standardization bodies such as the National Institute of Standards and Technology (NIST) [30] which were later widely implemented in most common crypto libraries. Those parameters came under question repeatedly from cryptographers (Bernstein & Lange, 2013).

At the time of writing, there is ongoing research as to the security of various ECC parameters (SafeCurves: choosing safe curves for elliptic-curve cryptography, 2013). Most software configured to rely on ECC (be it client or server) is not able to promote or black-list certain curves. It is the hope of the authors that such functionality will be deployed widely soon. The authors of this paper include configurations and recommendations with and without ECC - the reader may choose to adopt those settings as he finds best suited to his environment. The authors will not make this decision for the reader.

Warning

One should get familiar with ECC, different curves and parameters if one chooses to adopt ECC configurations. Since there is much discussion on the security of ECC, flawed settings might very well compromise the security of the entire system!

22. A note on SHA-1

In the last years several weaknesses have been shown for SHA-1. In particular, collisions on SHA-1 can be found using 263 operations, and recent results even indicate a lower complexity. Therefore, ECRYPT II and NIST recommend against using SHA-1 for generating digital signatures and for other applications that require collision resistance. The use of SHA-1 in message authentication, e.g. HMAC, is not immediately threatened.

We recommend using SHA-2 whenever available. Since SHA-2 is not supported by older versions of TLS, SHA-1 can be used for message authentication if a higher compatibility with a more diverse set of clients is needed.

Our configurations A and B reflect this. While configuration A does not include SHA-1, configuration B does and thus is more compatible with a wider range of clients.

23. A note on Diffie Hellman Key Exchanges

A common question is which Diffie-Hellman (DH) parameters should be used for Diffie Hellman key-exchanges [31]. We follow the recommendations in ECRYPT II (II & SYM, 2012).

Where configurable, we recommend using the Diffie Hellman groups defined for IKE, specifically groups 14-18 (2048–8192 bit MODP) (Kivinen & Kojo, 2003). These groups have been checked by many eyes and can be assumed to be secure.

For convenience, we provide these parameters as PEM files on our webserver [32].

24. Public Key Infrastructures

Public-Key Infrastructures try to solve the problem of verifying whether a public key belongs to a given entity, so as to prevent Man In The Middle attacks.

There are two approaches to achieve that: Certificate Authorities and the Web of Trust.

Certificate Authorities (CAs) sign end-entities’ certificates, thereby associating some kind of identity (e.g. a domain name or an email address) with a public key. CAs are used with TLS and S/MIME certificates, and the CA system has a big list of possible and real problems which are summarized in section Hardening PKI and (Durumeric, Kasten, Bailey, & Halderman, 2013).

The Web of Trust is a decentralized system where people sign each other’s keys, so that there is a high chance that there is a "trust path" from one key to another. This is used with PGP keys, and while it avoids most of the problems of the CA system, it is more cumbersome.

As alternatives to these public systems, there are two more choices: running a private CA, and manually trusting keys (as it is used with SSH keys or manually trusted keys in web browsers).

The first part of this section addresses how to obtain a certificate in the CA system. The second part offers recommendations on how to improve the security of your PKI.

24.1. Certificate Authorities

In order to get a certificate, you can find an external CA willing to issue a certificate for you, run your own CA, or use self-signed certificates. As always, there are advantages and disadvantages for every one of these options; a balance of security versus usability needs to be found.

24.1.1. Certificates From an External Certificate Authority

There is a fairly large number of commercial CAs that will issue certificates for money. Some of the most ubiquitous commercial CAs are Verisign, GoDaddy, and Teletrust. However, there are also CAs that offer certificates for free. The most notable examples are StartSSL, which is a company that offers some types of certificates for free, and CAcert, which is a non-profit volunteer-based organization that does not charge at all for issuing certificates. Finally, in the research and education field, a number of CAs exist that are generally well-known and well-accepted within the higher-education community.

A large number of CAs is pre-installed in client software’s or operating system’s`‘trust stores’'; depending on your application, you have to select your CA according to this, or have a mechanism to distribute the chosen CA’s root certificate to the clients.

When requesting a certificate from a CA, it is vital that you generate the key pair yourself. In particular, the private key should never be known to the CA. If a CA offers to generate the key pair for you, you should not trust that CA.

Generating a key pair and a certificate request can be done with a number of tools. On Unix-like systems, it is likely that the OpenSSL suite is available to you. In this case, you can generate a private key and a corresponding certificate request as follows:

$ openssl req -new -nodes -keyout <servername>.key -out <servername>.csr -newkey rsa:<keysize> -sha256
Country Name (2 letter code) [AU]:DE
State or Province Name (full name) [Some-State]:Bavaria
Locality Name (eg, city) []:Munich
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example
Organizational Unit Name (eg, section) []:Example Section
Common Name (e.g. server FQDN or YOUR name) []:example.com
Email Address []:admin@example.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

24.1.2. Setting Up Your Own Certificate Authority

In some situations it is advisable to run your own certificate authority. Whether this is a good idea depends on the exact circumstances. Generally speaking, the more centralized the control of the systems in your environment, the fewer pains you will have to go through to deploy your own CA. On the other hand, running your own CA maximizes the trust level that you can achieve because it minimizes external trust dependencies.

Again using OpenSSL as an example, you can set up your own CA with the following commands on a Debian system:

$ cd /usr/lib/ssl/misc
$ sudo ./CA.pl -newca

Answer the questions according to your setup. Now that you have configured your basic settings and issued a new root certificate, you can issue new certificates as follows:

$ cd /usr/lib/ssl/misc
$ sudo ./CA.pl -newreq

Alternatively, software such as TinyCA that acts as a "wrapper" around OpenSSL and tries to make life easier is available.

24.1.3. Creating a Self-Signed Certificate

If the desired trust level is very high and the number of systems involved is limited, the easiest way to set up a secure environment may be to use self-signed certificates. A self-signed certificate is not issued by any CA at all, but is signed by the entity that it is issued to. Thus, the organizational overhead of running a CA is eliminated at the expense of having to establish all trust relationships between entities manually.

With OpenSSL, you can self-sign a previously created certificate with this command:

$ openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095

You can also create a self-signed certificate in just one command:

$ openssl req -new -x509 -keyout privkey.pem -out cacert.pem -days 1095 -nodes -newkey rsa:<keysize> -sha256

The resulting certificate will by default not be trusted by anyone at all, so in order to be useful, the certificate will have to be made known a priori to all parties that may encounter it.

24.2. Hardening PKI

In recent years several CAs were compromised by attackers in order to get a hold of trusted certificates for malicious activities. In 2011 the Dutch CA Diginotar was hacked and all certificates were revoked (Elinor Mills, 2011). Recently Google found certificates issued to them, which were not used by the company (Damon Poeter, 2011). The concept of PKIs heavily depends on the security of CAs. If they get compromised the whole PKI system will fail. Some CAs tend to incorrectly issue certificates that were designated to do a different job than what they were intended to by the CA (Adam Langley, et. al., 2013).

Therefore several security enhancements were introduced by different organizations and vendors (H. Tschofenig and E. Lear, 2013). Currently two methods are used, DANE (Hoffman & Schlyter, 2012) and Certificate Pinning (C. Evans and C. Palmer, 2013). Google recently proposed a new system to detect malicious CAs and certificates called Certificate Transparency (Adam Langley, Ben Laurie, Emilia Kasper, 2013). In addition, RFC 6844 describes Certification Authorization Records, a mechanism for domain name owners to signal which Certificate Authorities are authorized to issue certificates for their domain.

24.3. Certification Authorization Records

RFC 6844 describes Certification Authorization Records, a mechanism for domain name owners to signal which Certificate Authorities are authorized to issue certificates for their domain.

When a CAA record is defined for a particular domain, it specifies that the domain owner requests Certificate Authorities to validate any request against the CAA record. If the certificate issuer is not listed in the CAA record, it should not issue the certificate.

The RFC also permits Certificate Evaluators to test an issued certificate against the CAA record, but should exercise caution, as the CAA record may change during the lifetime of a certificate, without affecting its validity.

CAA also supports an iodef property type which can be requested by a Certificate Authority to report certificate issue requests which are inconsistent with the issuer’s Certificate Policy.

24.3.1. Configuration of CAA records

BIND supports CAA records as of version 9.9.6.

A CAA record can be configured by adding it to the zone file:

$ORIGIN example.com
       CAA 0 issue "ca1.example"
       CAA 0 iodef "mailto:security@example.com"

If your organization uses multiple CA’s, you can configure multiple records:

      CAA 0 issue "ca1.example"
      CAA 0 issue "ca2.example"

"ca1.example" and "ca2.example" are unique identifiers for the CA you plan on using. These strings can be obtained from your Certificate Authority, and typically are its top level domain. An example is "letsencrypt.org" for the Let’s Encrypt CA operated by the Internet Security Research Group.

Knot-DNS supports CAA records as of version 2.2.0.

24.3.2. Validation of CAA records

Once a CAA record is deployed, it can be validated using the following dig query:

$ dig CAA google.com

; <<>> DiG 9.10.3-P4-Debian <<>> CAA google.com

;; ANSWER SECTION:
google.com.          3600 IN   CAA  0 issue "symantec.com"

On older versions of Dig, which do not support CAA records, you can query the record type manually:

$ dig +short -t TYPE257 google.com
\# 19 0005697373756573796D616E7465632E636F6D

25. TLS and its support mechanisms

25.1. HTTP Strict Transport Security (HSTS)

HTTP Strict Transport Security (HSTS) is a web security policy mechanism. HSTS is realized through HTTP header by which a web server declares that complying user agents (web browsers) should interact with it by using only secure HTTPS connections. [33]

HSTS header is bound to a DNS name or domain by which the server was accessed. For example if server serves content for two domains and it is HTTPS enabled only for one domain, the browser won’t enforce HSTS for the latter.

HSTS reduces the risk of active man-in-the-middle attacks such as SSL stripping, and impersonation attacks with untrusted certificate. HSTS also helps to avoid unintentional mistakes such as insecure links to a secure web site (missing HTTPS links [34]), and mistyped HTTPS URLs.

After the web browser receives a HSTS header in a correctly [35] prepared SSL session it will automatically use secure HTTPS links for accessing the server.

This prevents unencrypted HTTP access (SSL striping, mistyped HTTPS URLs, etc.) when the server is accessed later by the client.

When a server (that previously emitted a HSTS header) starts using an untrusted certificate, complying user agents must show an error message and block the server connection. Thus impersonation MITM attack with untrusted certificates cannot occur.

For the initial setup HSTS header needs a trusted secure connection over HTTPS. This limitation can be addressed by compiling a list of STS enabled sites directly into a browser. [36]

25.1.1. HSTS Header Directives

HSTS header can be parametrized by two directives:

  • max-age=<number-of-seconds>

  • includeSubdomains

max-age is a required directive. This directive indicates the number of seconds during which the user agent should enforce the HSTS policy (after the reception of the STS header field from a server).

includeSubdomains is an optional directive. This directive indicates that the HSTS policy applies to this HSTS host as well as any subdomains of the host’s domain name.

25.1.2. HSTS Client Support

HSTS is supported [37] by these web browsers:

  • Firefox version >= v4.0

  • Chrome version >= 4.0

  • Android Browser >=4.4

  • Opera version >= 12.0

  • Opera mobile >= 16.0

  • Safari >= 7.0

  • Microsoft Internet Explorer >= 11 (with update provided 09. June 2015)

  • Microsoft Edge >= 12

25.1.3. HSTS Considerations

Before enabling HSTS it is recommended to consider following:

  • Is it required to serve content or services over HTTP?

  • Enabling includeSubdomains and SSL certificate management.

  • Proper value of max-age.

It is recommended to serve all content using HTTPS, but there are exceptions to this rule as well. Consider running a private PKI [38]. CRLs and OCSP responses are published typically by HTTP protocol. If HSTS is enabled on the site where OCSP and CRLs are published the browser might fail fetching CRL or validating OCSP response.

Similar reasoning goes for includeSubdomains. One needs to be sure that HTTPS can be enforced for all subdomains. Moreover the administrators are advised to watch for expiration of the SSL certificate and handle the renewal process with caution. If a SSL certificate is renewed after expiration or misses a (HSTS enabled) domain name, the connection to site will break (without providing override mechanism to the end user).

Finally HSTS should be tested with lower max-age values and deployed with higher max-age values.

25.1.4. Testing HSTS

HSTS can be tested either using locally or through the Internet.

For local testing it is possible to utilize Chrome Web browser UI by typing chrome://net-internals/#hsts [39] in the address bar.

Testing over the Internet can be conducted by Qualys SSL Labs test https://www.ssllabs.com/ssltest/. Strict Transport Security (HSTS) information is located in the Protocol Details section.

25.1.5. References

25.2. HTTP Public Key Pinning (HPKP)

Much like HTTP Strict Transport Security (HSTS), HTTP Public Key Pinning (HPKP) is a Trust-On-First-Use (TOFU) mechanism. It protects HTTPS websites from impersonation using certificates issued by compromised certificate authorities. The data for Pinning is supplied by an HTTP-Header sent by the WebServer.

25.2.1. HPKP Header Directives

HPKP provides two different types of headers:

  • Public-Key-Pins

  • Public-Key-Pins-Report-Only

HPKP header can be parametrized by following directives:

pin-sha256 is a required directive. It can and should be used several (at least two) times for specifying the public keys of your domain-certificates or CA-certificates. Operators can pin any one or more of the public keys in the certificate-chain, and indeed must pin to issuers not in the chain (as, for example, a backup-pin). Pinning to an intermediate issuer, or even to a trust anchor or root, still significantly reduces the number of issuers who can issue end-entity certificates for the Known Pinned Host, while still giving that host flexibility to change keys without a disruption of service. OpenSSL can be used to convert the public-key of an X509-certificate as follows:

$ openssl x509 -in <certificate.cer> -pubkey -noout |
 openssl rsa -pubin -outform der |
 openssl dgst -sha256 -binary |
 openssl enc -base64
writing RSA key
pG3WsstDsfMkRdF3hBClXRKYxxKUJIOu8DwabG8MFrU=

This piped usage of OpenSSL first gets the Public-Key of <certificate.cer>, converts it do DER (binary) format, calculates an SHA256 Hash and finally encodes it Base64. The output (including the ending Equal-Sign) is exactly whats needed for the pin-sha256="<YOUR_PUBLICKEY_HASH⇒" parameter.

To generate the hash for a prepared backup-key just create a certificate-signing-request and replace openssl x509 by openssl req -in <backup-cert.csr> -pubkey -noout as first OpenSSL command.

Instead of using OpenSSL even web-services like https://report-uri.io/home/pkp_hash/ can be used to get a suggestion for the possible Public-Key-Hashes for a given website.

max-age is a required directive (when using the Public-Key-Pins header). This directive specifies the number of seconds during which the user agent should regard the host (from whom the message was received) as a "Known Pinned Host".

includeSubdomains is an optional directive. This directive indicates that the same pinning applies to this host as well as any subdomains of the host’s domain name. Be careful - you need to use a multi-domain/wildcard-certificate or use the same pub/private-keypair in all subdomain-certificates or need to pin to CA-certificates signing all your subdomain-certificates.

report-uri is an optional directive. The presence of a report-uri directive indicates to the web-browser that in the event of pin-validation failure, it should post a report to the report-uri (HTTP-Post is done using JSON, Syntax see {RFC-7469 Section 3} [40]). There are WebServices like https://report-uri.io/ out there which can be used to easily collect and visualize these reports.

25.2.2. HPKP Client Support

HPKP is supported [41] by these web browsers:

  • Firefox version >= 35

  • Chrome version between version 38 and 72

  • Android Browser >= 44

  • Opera version >= 25

Currently (20. Dec 2018) there is no HPKP support in: Apple Safari, Microsoft Internet Explorer and Edge. HPKP Support has been removed from Google Chrome and Chromium from version 72 onwards.

25.2.3. HPKP Considerations

Before enabling HPKP it is recommended to consider following:

  • Which Public-Keys to use for Pinning (Certificate + Backup-Certificate, CAs, Intermediate-CAs)

  • Proper value of max-age. Start testing with a short Period, increase Period after deployment.

  • Be careful when using includeSubdomains, are all your subdomains covered by the defined Public-Key-Hashes?

The administrators are advised to watch for expiration of the SSL certificate and handle the renewal process with caution.

If a SSL certificate is renewed without keeping the public-key (reusing the CSR) for an HPKP enabled domain name, the connection to site will break (without providing override mechanism to the end user).

25.2.4. Testing HPKP

HPKP can be tested either using locally or through the Internet.

There is a handy bash-script which uses OpenSSL for doing several SSL/TLS-Tests available at https://testssl.sh/

$ wget -q https://testssl.sh/testssl.sh
$ wget -q https://testssl.sh/mapping-rfc.txt
$ chmod 755 ./testssl.sh
$ ./testssl.sh https://example.com

# Sample Output, just HSTS and HPKP Section (Full report is quite long!):
Strict Transport Security    182 days=15724800 s, includeSubDomains
Public Key Pinning # of keys: 2, 90 days=7776000 s, just this domain
           matching host key: pG3WsstDsfMkRdF3hBClXRKYxxKUJIOu8DwabG8MFrU

For local testing it is possible to utilize Google Chrome web-browser, just open the Chrome net-internals-URL: chrome://net-internals/#hsts.

For Mozilla Firefox there is an plug-in provided by the "Secure Information Technology Center Austria" available: https://demo.a-sit.at/firefox-plugin-highlighting-safety-information/

Testing over the Internet can be conducted by Qualys SSL Labs test https://www.ssllabs.com/ssltest/. Public Key Pinning (HPKP) information is located in the Protocol Details section.

There is also a fast online HPKP-only check at https://report-uri.io/home/pkp_analyse.

25.2.5. References

IV: Appendix

26. Tools

This section lists tools for checking the security settings.

26.1. SSL & TLS

Server checks via the web

ssllabs.com offers a great way to check your webserver for misconfigurations. See https://www.ssllabs.com/ssltest/. Furthermore, ssllabs.com has a good best practices tutorial, which focuses on avoiding the most common mistakes in SSL.

SSL Server certificate installation issues https://www.sslshopper.com/ssl-checker.html

Check SPDY protocol support and basic TLS setup http://spdycheck.org/

XMPP/Jabber Server check (Client-to-Server and Server-to-Server) https://xmpp.net/

TODO: starttls site not available any more.

Does your mail server support StartTLS? https://starttls.info/

DNSsec and DANE support of your domain and e-mail server? https://dane.sys4.de

http://checktls.com is a tool for testing arbitrary TLS services.

http://tls.secg.org is a tool for testing interoperability of HTTPS implementations for ECC cipher suites.

http://www.whynopadlock.com/ Testing for mixed SSL parts loaded via http that can totally lever your HTTPS.

26.2. Browser Checks

Check Browsers SSL/TLS support and vulnerability to attacks: https://www.howsmyssl.com

26.3. Command Line Tools

https://sourceforge.net/projects/sslscan connects to a given SSL service and shows the cipher suites that are offered.

http://www.bolet.org/TestSSLServer/ tests for BEAST and CRIME vulnerabilities.

https://github.com/drwetter/testssl.sh checks a server’s service on any port for the support of TLS/SSL ciphers, protocols as well as some cryptographic flaws (CRIME, BREACH, CCS, Heartbleed).

https://github.com/iSECPartners/sslyze Fast and full-featured SSL scanner.

https://github.com/jvehent/cipherscan Fast TLS scanner (ciphers, order, protocols, key size and more)

http://nmap.org/ nmap security scanner

http://www.openssl.net OpenSSL s_client

Monitoring TLS services with Zabbix (sorry, German) https://blog.sys4.de/zertifikate-uberwachen-mit-zabbix-de.html

26.4. Key length

http://www.keylength.com comprehensive online resource for comparison of key lengths according to common recommendations and standards in cryptography.

26.5. Random Number Generators

ENT is a pseudo random number generator sequence tester.

Dieharder a random number generator testing tool.

CAcert Random another random number generator testing service.

28. Suggested Reading

This section contains suggested reading material.

Cryptography Engineering: Design Principles and Practical Applications, Ferguson, N. and Schneier, B. and Kohno, T. (ISBN-13: 978-0470474242)

Security Engineering: A Guide to Building Dependable Distributed Systems, Anderson, R.J. (ISBN-13: 978-0470068526)

Applied cryptography: protocols, algorithms, and source code in C, Schneier, B. (ISBN-13: 978-0471117094)

Guide to Elliptic Curve Cryptography, Hankerson, D. and Vanstone, S. and Menezes, A.J. (ISBN-13: 978-0387952734)

A Introduction To The Theory of Numbers, Godfrey Harold Hardy, E. M. Wrigh (ISBN-13: 978-0199219865)

Malicious Cryptography: Exposing Cryptovirology, Young A., Yung, M. (ISBN-13: 978-0764549755)

29. Cipher Suite Name Cross-Reference

This table shows the cipher suite names as IANA defined them, the names OpenSSL uses, and the respective codes.

Code IANA Name OpenSSL Name

0x00,0x00

TLS_NULL_WITH_NULL_NULL

0x00,0x01

TLS_RSA_WITH_NULL_MD5

NULL-MD5

0x00,0x02

TLS_RSA_WITH_NULL_SHA

NULL-SHA

0x00,0x03

TLS_RSA_EXPORT_WITH_RC4_40_MD5

EXP-RC4-MD5

0x00,0x04

TLS_RSA_WITH_RC4_128_MD5

RC4-MD5

0x00,0x05

TLS_RSA_WITH_RC4_128_SHA

RC4-SHA

0x00,0x06

TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5

EXP-RC2-CBC-MD5

0x00,0x07

TLS_RSA_WITH_IDEA_CBC_SHA

0x00,0x08

TLS_RSA_EXPORT_WITH_DES40_CBC_SHA

EXP-DES-CBC-SHA

0x00,0x09

TLS_RSA_WITH_DES_CBC_SHA

DES-CBC-SHA

0x00,0x0A

TLS_RSA_WITH_3DES_EDE_CBC_SHA

DES-CBC3-SHA

0x00,0x0B

TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA

0x00,0x0C

TLS_DH_DSS_WITH_DES_CBC_SHA

0x00,0x0D

TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA

0x00,0x0E

TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA

0x00,0x0F

TLS_DH_RSA_WITH_DES_CBC_SHA

0x00,0x10

TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA

0x00,0x11

TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA

EXP-EDH-DSS-DES-CBC-SHA

0x00,0x12

TLS_DHE_DSS_WITH_DES_CBC_SHA

EDH-DSS-DES-CBC-SHA

0x00,0x13

TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA

EDH-DSS-DES-CBC3-SHA

0x00,0x14

TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA

EXP-EDH-RSA-DES-CBC-SHA

0x00,0x15

TLS_DHE_RSA_WITH_DES_CBC_SHA

EDH-RSA-DES-CBC-SHA

0x00,0x16

TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA

EDH-RSA-DES-CBC3-SHA

0x00,0x17

TLS_DH_anon_EXPORT_WITH_RC4_40_MD5

EXP-ADH-RC4-MD5

0x00,0x18

TLS_DH_anon_WITH_RC4_128_MD5

ADH-RC4-MD5

0x00,0x19

TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA

EXP-ADH-DES-CBC-SHA

0x00,0x1A

TLS_DH_anon_WITH_DES_CBC_SHA

ADH-DES-CBC-SHA

0x00,0x1B

TLS_DH_anon_WITH_3DES_EDE_CBC_SHA

ADH-DES-CBC3-SHA

0x00,0x1E

TLS_KRB5_WITH_DES_CBC_SHA

0x00,0x1F

TLS_KRB5_WITH_3DES_EDE_CBC_SHA

0x00,0x20

TLS_KRB5_WITH_RC4_128_SHA

0x00,0x21

TLS_KRB5_WITH_IDEA_CBC_SHA

0x00,0x22

TLS_KRB5_WITH_DES_CBC_MD5

0x00,0x23

TLS_KRB5_WITH_3DES_EDE_CBC_MD5

0x00,0x24

TLS_KRB5_WITH_RC4_128_MD5

0x00,0x25

TLS_KRB5_WITH_IDEA_CBC_MD5

0x00,0x26

TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA

0x00,0x27

TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA

0x00,0x28

TLS_KRB5_EXPORT_WITH_RC4_40_SHA

0x00,0x29

TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5

0x00,0x2A

TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5

0x00,0x2B

TLS_KRB5_EXPORT_WITH_RC4_40_MD5

0x00,0x2C

TLS_PSK_WITH_NULL_SHA

0x00,0x2D

TLS_DHE_PSK_WITH_NULL_SHA

0x00,0x2E

TLS_RSA_PSK_WITH_NULL_SHA

0x00,0x2F

TLS_RSA_WITH_AES_128_CBC_SHA

AES128-SHA

0x00,0x30

TLS_DH_DSS_WITH_AES_128_CBC_SHA

0x00,0x31

TLS_DH_RSA_WITH_AES_128_CBC_SHA

0x00,0x32

TLS_DHE_DSS_WITH_AES_128_CBC_SHA

DHE-DSS-AES128-SHA

0x00,0x33

TLS_DHE_RSA_WITH_AES_128_CBC_SHA

DHE-RSA-AES128-SHA

0x00,0x34

TLS_DH_anon_WITH_AES_128_CBC_SHA

ADH-AES128-SHA

0x00,0x35

TLS_RSA_WITH_AES_256_CBC_SHA

AES256-SHA

0x00,0x36

TLS_DH_DSS_WITH_AES_256_CBC_SHA

0x00,0x37

TLS_DH_RSA_WITH_AES_256_CBC_SHA

0x00,0x38

TLS_DHE_DSS_WITH_AES_256_CBC_SHA

DHE-DSS-AES256-SHA

0x00,0x39

TLS_DHE_RSA_WITH_AES_256_CBC_SHA

DHE-RSA-AES256-SHA

0x00,0x3A

TLS_DH_anon_WITH_AES_256_CBC_SHA

ADH-AES256-SHA

0x00,0x3B

TLS_RSA_WITH_NULL_SHA256

NULL-SHA256

0x00,0x3C

TLS_RSA_WITH_AES_128_CBC_SHA256

AES128-SHA256

0x00,0x3D

TLS_RSA_WITH_AES_256_CBC_SHA256

AES256-SHA256

0x00,0x3E

TLS_DH_DSS_WITH_AES_128_CBC_SHA256

0x00,0x3F

TLS_DH_RSA_WITH_AES_128_CBC_SHA256

0x00,0x40

TLS_DHE_DSS_WITH_AES_128_CBC_SHA256

DHE-DSS-AES128-SHA256

0x00,0x41

TLS_RSA_WITH_CAMELLIA_128_CBC_SHA

CAMELLIA128-SHA

0x00,0x42

TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA

0x00,0x43

TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA

0x00,0x44

TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA

DHE-DSS-CAMELLIA128-SHA

0x00,0x45

TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA

DHE-RSA-CAMELLIA128-SHA

0x00,0x46

TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA

ADH-CAMELLIA128-SHA

0x00,0x67

TLS_DHE_RSA_WITH_AES_128_CBC_SHA256

DHE-RSA-AES128-SHA256

0x00,0x68

TLS_DH_DSS_WITH_AES_256_CBC_SHA256

0x00,0x69

TLS_DH_RSA_WITH_AES_256_CBC_SHA256

0x00,0x6A

TLS_DHE_DSS_WITH_AES_256_CBC_SHA256

DHE-DSS-AES256-SHA256

0x00,0x6B

TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

DHE-RSA-AES256-SHA256

0x00,0x6C

TLS_DH_anon_WITH_AES_128_CBC_SHA256

ADH-AES128-SHA256

0x00,0x6D

TLS_DH_anon_WITH_AES_256_CBC_SHA256

ADH-AES256-SHA256

0x00,0x84

TLS_RSA_WITH_CAMELLIA_256_CBC_SHA

CAMELLIA256-SHA

0x00,0x85

TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA

0x00,0x86

TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA

0x00,0x87

TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA

DHE-DSS-CAMELLIA256-SHA

0x00,0x88

TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA

DHE-RSA-CAMELLIA256-SHA

0x00,0x89

TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA

ADH-CAMELLIA256-SHA

0x00,0x8A

TLS_PSK_WITH_RC4_128_SHA

PSK-RC4-SHA

0x00,0x8B

TLS_PSK_WITH_3DES_EDE_CBC_SHA

PSK-3DES-EDE-CBC-SHA

0x00,0x8C

TLS_PSK_WITH_AES_128_CBC_SHA

PSK-AES128-CBC-SHA

0x00,0x8D

TLS_PSK_WITH_AES_256_CBC_SHA

PSK-AES256-CBC-SHA

0x00,0x8E

TLS_DHE_PSK_WITH_RC4_128_SHA

0x00,0x8F

TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA

0x00,0x90

TLS_DHE_PSK_WITH_AES_128_CBC_SHA

0x00,0x91

TLS_DHE_PSK_WITH_AES_256_CBC_SHA

0x00,0x92

TLS_RSA_PSK_WITH_RC4_128_SHA

0x00,0x93

TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA

0x00,0x94

TLS_RSA_PSK_WITH_AES_128_CBC_SHA

0x00,0x95

TLS_RSA_PSK_WITH_AES_256_CBC_SHA

0x00,0x96

TLS_RSA_WITH_SEED_CBC_SHA

SEED-SHA

0x00,0x97

TLS_DH_DSS_WITH_SEED_CBC_SHA

0x00,0x98

TLS_DH_RSA_WITH_SEED_CBC_SHA

0x00,0x99

TLS_DHE_DSS_WITH_SEED_CBC_SHA

DHE-DSS-SEED-SHA

0x00,0x9A

TLS_DHE_RSA_WITH_SEED_CBC_SHA

DHE-RSA-SEED-SHA

0x00,0x9B

TLS_DH_anon_WITH_SEED_CBC_SHA

ADH-SEED-SHA

0x00,0x9C

TLS_RSA_WITH_AES_128_GCM_SHA256

AES128-GCM-SHA256

0x00,0x9D

TLS_RSA_WITH_AES_256_GCM_SHA384

AES256-GCM-SHA384

0x00,0x9E

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

DHE-RSA-AES128-GCM-SHA256

0x00,0x9F

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

DHE-RSA-AES256-GCM-SHA384

0x00,0xA0

TLS_DH_RSA_WITH_AES_128_GCM_SHA256

0x00,0xA1

TLS_DH_RSA_WITH_AES_256_GCM_SHA384

0x00,0xA2

TLS_DHE_DSS_WITH_AES_128_GCM_SHA256

DHE-DSS-AES128-GCM-SHA256

0x00,0xA3

TLS_DHE_DSS_WITH_AES_256_GCM_SHA384

DHE-DSS-AES256-GCM-SHA384

0x00,0xA4

TLS_DH_DSS_WITH_AES_128_GCM_SHA256

0x00,0xA5

TLS_DH_DSS_WITH_AES_256_GCM_SHA384

0x00,0xA6

TLS_DH_anon_WITH_AES_128_GCM_SHA256

ADH-AES128-GCM-SHA256

0x00,0xA7

TLS_DH_anon_WITH_AES_256_GCM_SHA384

ADH-AES256-GCM-SHA384

0x00,0xA8

TLS_PSK_WITH_AES_128_GCM_SHA256

0x00,0xA9

TLS_PSK_WITH_AES_256_GCM_SHA384

0x00,0xAA

TLS_DHE_PSK_WITH_AES_128_GCM_SHA256

0x00,0xAB

TLS_DHE_PSK_WITH_AES_256_GCM_SHA384

0x00,0xAC

TLS_RSA_PSK_WITH_AES_128_GCM_SHA256

0x00,0xAD

TLS_RSA_PSK_WITH_AES_256_GCM_SHA384

0x00,0xAE

TLS_PSK_WITH_AES_128_CBC_SHA256

0x00,0xAF

TLS_PSK_WITH_AES_256_CBC_SHA384

0x00,0xB0

TLS_PSK_WITH_NULL_SHA256

0x00,0xB1

TLS_PSK_WITH_NULL_SHA384

0x00,0xB2

TLS_DHE_PSK_WITH_AES_128_CBC_SHA256

0x00,0xB3

TLS_DHE_PSK_WITH_AES_256_CBC_SHA384

0x00,0xB4

TLS_DHE_PSK_WITH_NULL_SHA256

0x00,0xB5

TLS_DHE_PSK_WITH_NULL_SHA384

0x00,0xB6

TLS_RSA_PSK_WITH_AES_128_CBC_SHA256

0x00,0xB7

TLS_RSA_PSK_WITH_AES_256_CBC_SHA384

0x00,0xB8

TLS_RSA_PSK_WITH_NULL_SHA256

0x00,0xB9

TLS_RSA_PSK_WITH_NULL_SHA384

0x00,0xBA

TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256

0x00,0xBB

TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256

0x00,0xBC

TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256

0x00,0xBD

TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256

0x00,0xBE

TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256

0x00,0xBF

TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256

0x00,0xC0

TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256

0x00,0xC1

TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256

0x00,0xC2

TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256

0x00,0xC3

TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256

0x00,0xC4

TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256

0x00,0xC5

TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256

0x00,0xFF

TLS_EMPTY_RENEGOTIATION_INFO_SCSV

0xC0,0x01

TLS_ECDH_ECDSA_WITH_NULL_SHA

ECDH-ECDSA-NULL-SHA

0xC0,0x02

TLS_ECDH_ECDSA_WITH_RC4_128_SHA

ECDH-ECDSA-RC4-SHA

0xC0,0x03

TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA

ECDH-ECDSA-DES-CBC3-SHA

0xC0,0x04

TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA

ECDH-ECDSA-AES128-SHA

0xC0,0x05

TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA

ECDH-ECDSA-AES256-SHA

0xC0,0x06

TLS_ECDHE_ECDSA_WITH_NULL_SHA

ECDHE-ECDSA-NULL-SHA

0xC0,0x07

TLS_ECDHE_ECDSA_WITH_RC4_128_SHA

ECDHE-ECDSA-RC4-SHA

0xC0,0x08

TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA

ECDHE-ECDSA-DES-CBC3-SHA

0xC0,0x09

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

ECDHE-ECDSA-AES128-SHA

0xC0,0x0A

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

ECDHE-ECDSA-AES256-SHA

0xC0,0x0B

TLS_ECDH_RSA_WITH_NULL_SHA

ECDH-RSA-NULL-SHA

0xC0,0x0C

TLS_ECDH_RSA_WITH_RC4_128_SHA

ECDH-RSA-RC4-SHA

0xC0,0x0D

TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA

ECDH-RSA-DES-CBC3-SHA

0xC0,0x0E

TLS_ECDH_RSA_WITH_AES_128_CBC_SHA

ECDH-RSA-AES128-SHA

0xC0,0x0F

TLS_ECDH_RSA_WITH_AES_256_CBC_SHA

ECDH-RSA-AES256-SHA

0xC0,0x10

TLS_ECDHE_RSA_WITH_NULL_SHA

ECDHE-RSA-NULL-SHA

0xC0,0x11

TLS_ECDHE_RSA_WITH_RC4_128_SHA

ECDHE-RSA-RC4-SHA

0xC0,0x12

TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA

ECDHE-RSA-DES-CBC3-SHA

0xC0,0x13

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

ECDHE-RSA-AES128-SHA

0xC0,0x14

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

ECDHE-RSA-AES256-SHA

0xC0,0x15

TLS_ECDH_anon_WITH_NULL_SHA

AECDH-NULL-SHA

0xC0,0x16

TLS_ECDH_anon_WITH_RC4_128_SHA

AECDH-RC4-SHA

0xC0,0x17

TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA

AECDH-DES-CBC3-SHA

0xC0,0x18

TLS_ECDH_anon_WITH_AES_128_CBC_SHA

AECDH-AES128-SHA

0xC0,0x19

TLS_ECDH_anon_WITH_AES_256_CBC_SHA

AECDH-AES256-SHA

0xC0,0x1A

TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA

SRP-3DES-EDE-CBC-SHA

0xC0,0x1B

TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA

SRP-RSA-3DES-EDE-CBC-SHA

0xC0,0x1C

TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA

SRP-DSS-3DES-EDE-CBC-SHA

0xC0,0x1D

TLS_SRP_SHA_WITH_AES_128_CBC_SHA

SRP-AES-128-CBC-SHA

0xC0,0x1E

TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA

SRP-RSA-AES-128-CBC-SHA

0xC0,0x1F

TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA

SRP-DSS-AES-128-CBC-SHA

0xC0,0x20

TLS_SRP_SHA_WITH_AES_256_CBC_SHA

SRP-AES-256-CBC-SHA

0xC0,0x21

TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA

SRP-RSA-AES-256-CBC-SHA

0xC0,0x22

TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA

SRP-DSS-AES-256-CBC-SHA

0xC0,0x23

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

ECDHE-ECDSA-AES128-SHA256

0xC0,0x24

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

ECDHE-ECDSA-AES256-SHA384

0xC0,0x25

TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256

ECDH-ECDSA-AES128-SHA256

0xC0,0x26

TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384

ECDH-ECDSA-AES256-SHA384

0xC0,0x27

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

ECDHE-RSA-AES128-SHA256

0xC0,0x28

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

ECDHE-RSA-AES256-SHA384

0xC0,0x29

TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256

ECDH-RSA-AES128-SHA256

0xC0,0x2A

TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384

ECDH-RSA-AES256-SHA384

0xC0,0x2B

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

ECDHE-ECDSA-AES128-GCM-SHA256

0xC0,0x2C

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

ECDHE-ECDSA-AES256-GCM-SHA384

0xC0,0x2D

TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256

ECDH-ECDSA-AES128-GCM-SHA256

0xC0,0x2E

TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384

ECDH-ECDSA-AES256-GCM-SHA384

0xC0,0x2F

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

ECDHE-RSA-AES128-GCM-SHA256

0xC0,0x30

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

ECDHE-RSA-AES256-GCM-SHA384

0xC0,0x31

TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256

ECDH-RSA-AES128-GCM-SHA256

0xC0,0x32

TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384

ECDH-RSA-AES256-GCM-SHA384

0xC0,0x33

TLS_ECDHE_PSK_WITH_RC4_128_SHA

0xC0,0x34

TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA

0xC0,0x35

TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA

0xC0,0x36

TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA

0xC0,0x37

TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256

0xC0,0x38

TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384

0xC0,0x39

TLS_ECDHE_PSK_WITH_NULL_SHA

0xC0,0x3A

TLS_ECDHE_PSK_WITH_NULL_SHA256

0xC0,0x3B

TLS_ECDHE_PSK_WITH_NULL_SHA384

0xC0,0x3C

TLS_RSA_WITH_ARIA_128_CBC_SHA256

0xC0,0x3D

TLS_RSA_WITH_ARIA_256_CBC_SHA384

0xC0,0x3E

TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256

0xC0,0x3F

TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384

0xC0,0x40

TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256

0xC0,0x41

TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384

0xC0,0x42

TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256

0xC0,0x43

TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384

0xC0,0x44

TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256

0xC0,0x45

TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384

0xC0,0x46

TLS_DH_anon_WITH_ARIA_128_CBC_SHA256

0xC0,0x47

TLS_DH_anon_WITH_ARIA_256_CBC_SHA384

0xC0,0x48

TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256

0xC0,0x49

TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384

0xC0,0x4A

TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256

0xC0,0x4B

TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384

0xC0,0x4C

TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256

0xC0,0x4D

TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384

0xC0,0x4E

TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256

0xC0,0x4F

TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384

0xC0,0x50

TLS_RSA_WITH_ARIA_128_GCM_SHA256

0xC0,0x51

TLS_RSA_WITH_ARIA_256_GCM_SHA384

0xC0,0x52

TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256

0xC0,0x53

TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384

0xC0,0x54

TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256

0xC0,0x55

TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384

0xC0,0x56

TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256

0xC0,0x57

TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384

0xC0,0x58

TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256

0xC0,0x59

TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384

0xC0,0x5A

TLS_DH_anon_WITH_ARIA_128_GCM_SHA256

0xC0,0x5B

TLS_DH_anon_WITH_ARIA_256_GCM_SHA384

0xC0,0x5C

TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256

0xC0,0x5D

TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384

0xC0,0x5E

TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256

0xC0,0x5F

TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384

0xC0,0x60

TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256

0xC0,0x61

TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384

0xC0,0x62

TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256

0xC0,0x63

TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384

0xC0,0x64

TLS_PSK_WITH_ARIA_128_CBC_SHA256

0xC0,0x65

TLS_PSK_WITH_ARIA_256_CBC_SHA384

0xC0,0x66

TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256

0xC0,0x67

TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384

0xC0,0x68

TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256

0xC0,0x69

TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384

0xC0,0x6A

TLS_PSK_WITH_ARIA_128_GCM_SHA256

0xC0,0x6B

TLS_PSK_WITH_ARIA_256_GCM_SHA384

0xC0,0x6C

TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256

0xC0,0x6D

TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384

0xC0,0x6E

TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256

0xC0,0x6F

TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384

0xC0,0x70

TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256

0xC0,0x71

TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384

0xC0,0x72

TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256

0xC0,0x73

TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384

0xC0,0x74

TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256

0xC0,0x75

TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384

0xC0,0x76

TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256

0xC0,0x77

TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384

0xC0,0x78

TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256

0xC0,0x79

TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384

0xC0,0x7A

TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256

0xC0,0x7B

TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384

0xC0,0x7C

TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256

0xC0,0x7D

TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384

0xC0,0x7E

TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256

0xC0,0x7F

TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384

0xC0,0x80

TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256

0xC0,0x81

TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384

0xC0,0x82

TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256

0xC0,0x83

TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384

0xC0,0x84

TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256

0xC0,0x85

TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384

0xC0,0x86

TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256

0xC0,0x87

TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384

0xC0,0x88

TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256

0xC0,0x89

TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384

0xC0,0x8A

TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256

0xC0,0x8B

TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384

0xC0,0x8C

TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256

0xC0,0x8D

TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384

0xC0,0x8E

TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256

0xC0,0x8F

TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384

0xC0,0x90

TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256

0xC0,0x91

TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384

0xC0,0x92

TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256

0xC0,0x93

TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384

0xC0,0x94

TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256

0xC0,0x95

TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384

0xC0,0x96

TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256

0xC0,0x97

TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384

0xC0,0x98

TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256

0xC0,0x99

TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384

0xC0,0x9A

TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256

0xC0,0x9B

TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384

0xC0,0x9C

TLS_RSA_WITH_AES_128_CCM

0xC0,0x9D

TLS_RSA_WITH_AES_256_CCM

0xC0,0x9E

TLS_DHE_RSA_WITH_AES_128_CCM

0xC0,0x9F

TLS_DHE_RSA_WITH_AES_256_CCM

0xC0,0xA0

TLS_RSA_WITH_AES_128_CCM_8

0xC0,0xA1

TLS_RSA_WITH_AES_256_CCM_8

0xC0,0xA2

TLS_DHE_RSA_WITH_AES_128_CCM_8

0xC0,0xA3

TLS_DHE_RSA_WITH_AES_256_CCM_8

0xC0,0xA4

TLS_PSK_WITH_AES_128_CCM

0xC0,0xA5

TLS_PSK_WITH_AES_256_CCM

0xC0,0xA6

TLS_DHE_PSK_WITH_AES_128_CCM

0xC0,0xA7

TLS_DHE_PSK_WITH_AES_256_CCM

0xC0,0xA8

TLS_PSK_WITH_AES_128_CCM_8

0xC0,0xA9

TLS_PSK_WITH_AES_256_CCM_8

0xC0,0xAA

TLS_PSK_DHE_WITH_AES_128_CCM_8

0xC0,0xAB

TLS_PSK_DHE_WITH_AES_256_CCM_8

0xC0,0xAC

TLS_ECDHE_ECDSA_WITH_AES_128_CCM

0xC0,0xAD

TLS_ECDHE_ECDSA_WITH_AES_256_CCM

0xC0,0xAE

TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8

0xC0,0xAF

TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8

The list of IANA cipher suite names was retrieved from https://www.iana.org/assignments/tls-parameters/tls-parameters-4.csv on Tue Jun 3 22:36:58 2014.

The list of OpenSSL Ciphers was generated with OpenSSL 1.0.1e 11 Feb 2013.

30. Further Research

The following is a list of services, software packages, hardware devices or protocols that we considered documenting but either did not manage to document yet or might be able to document later. We encourage input from the community.

Table 16. Further Protocols

DNSSec (mention BCPs)

DANE

Tor

S/Mime (check are there any BCPs? )

TrueCrypt, LUKS, FileVault

AFS

Kerberos

NNTP

NTPs tlsdate

Moxa , APC, und co…​ ICS

rsyslog

tftp

(s)ftp(s)

haproxy

Table 17. Further Protocols (Network centric)

IPv6 security

Wi-Fi, 802.1x

SIP

SRTP

Kerberos

NNTP

NTPs tlsdate

BGP / OSPF

LDAP

seclayer-tcp

RADIUS (RADSEC)

racoon

strongswan

l2tp

Ethernet to serial

DSL modems

UPnP, natPmp

HTTP Key Pinning (HTKP)

Monitoring: SNMPv3

Table 18. Further Applications

Lync

Tomcat

Microsoft SQL Server

Microsoft Exchange

IBM HTTP Server

Commerical Network Equipment Vendors

Other ideas:

SAML federated auth providers [42]

Elastic Load Balancing (ELB)[43]

30.1. Software not covered by this guide

telnet: Usage of telnet for anything other than fun projects is highly discouraged

Puppet DB: A Proxy or a tunnel is recommended if it needs to be facing public network interfaces.[44]

rsync: Best use it only via SSH for an optimum of security and easiest to maintain.

Bibliography

Adam Langley, Ben Laurie, Emilia Kasper. (2013). Certificate Transparency. http://www.certificate-transparency.org https://datatracker.ietf.org/doc/rfc6962/ .

Adam Langley, et. al. (2013). Go X.509 Verification Source Code. https://code.google.com/p/go/source/browse/src/pkg/crypto/x509/verify.go#173 .

Anderson, R. (2008). Security engineering. Wiley.com. Retrieved from http://www.cl.cam.ac.uk/ rja14/book.html

Bernstein, D. J., & Lange, T. (2013). Security dangers of the NIST curves (Presentation slides). Retrieved from http://cr.yp.to/talks/2013.09.16/slides-djb-20130916-a4.pdf

C. Evans and C. Palmer. (2013). Public Key Pinning Extension for HTTP. https://tools.ietf.org/html/draft-ietf-websec-key-pinning-09 .

Damon Poeter. (2011). Fake Google Certificate Puts Gmail at Risk. http://www.pcmag.com/article2/0,2817,2392063,00.asp .

Durumeric, Z., Kasten, J., Bailey, M., & Halderman, J. A. (2013). Analysis of the HTTPS Certificate Ecosystem. In Proceedings of the 13th Internet Measurement Conference. Retrieved from https://jhalderm.com/pub/papers/https-imc13.pdf

Elinor Mills. (2011). Fraudulent Google certificate points to Internet attack. http://news.cnet.com/8301-27080_3-20098894-245/fraudulent-google-certificate-points-to-internet-attack/ .

Engblom, J. (2011). Evaluating HAVEGE Randomness (Blog: Observations from Uppsala). Retrieved from http://jakob.engbloms.se/archives/1374

ENISA and Vincent Rijmen, Nigel P. Smart, Bogdan warinschi, Gaven Watson. (2013). ENISA - Algorithms, Key Sizes and Parameters Report. Retrieved from http://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/algorithms-key-sizes-and-parameters-report

für Sicherheit in der Informationstechnik (BSI), B. (2018). BSI TR-02102 Kryptographische Verfahren. Retrieved from https://www.bsi.bund.de/EN/Publications/TechnicalGuidelines/tr02102/tr02102_node.html

H. Tschofenig and E. Lear. (2013). Evolving the Web Public Key Infrastructure. https://tools.ietf.org/html/draft-tschofenig-iab-webpki-evolution-01.txt .

Heninger, N., Durumeric, Z., Wustrow, E., & Halderman, J. A. (2012). Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices. In Proceedings of the 21st USENIX Security Symposium. Retrieved from https://factorable.net/weakkeys12.extended.pdf

Hoffman, P., & Schlyter, J. (2012). The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA. IETF. Retrieved from https://www.ietf.org/rfc/rfc6698.txt

i_mit_Realm configuration decisions_. (2013). (Documentation). Retrieved from http://web.mit.edu/kerberos/krb5-latest/doc/admin/realm_config.html

i_wikipedia_Discrete logarithm_. (2013). (Wikipedia). Retrieved from https://en.wikipedia.org/wiki/Discrete_logarithm

i_wikipedia_Tempest (codename). (2018). (Wikipedia). Retrieved from https://en.wikipedia.org/wiki/Tempest(codename)

II, E. C. R. Y. P. T., & SYM, D. (2012). ECRYPT II, 79–86. Retrieved from http://www.ecrypt.eu.org/ecrypt2/documents/D.SPA.20.pdf

Katz, J., & Lindell, Y. (2008). Introduction to modern cryptography. Chapman & Hall/CRC. Retrieved from http://books.google.at/books?id=WIc_AQAAIAAJ

Kivinen, T., & Kojo, M. (2003). More Modular Exponential (MODP) Diffie-Hellman groups for Internet Key Exchange (IKE). IETF. Retrieved from https://www.ietf.org/rfc/rfc3526.txt

Postel, J. (1980). DoD standard Transmission Control Protocol. IETF. Retrieved from https://www.ietf.org/rfc/rfc761.txt

Raeburn, K. (2005). Advanced Encryption Standard (AES) Encryption for Kerberos 5. IETF. Retrieved from https://www.ietf.org/rfc/rfc3962.txt

SafeCurves: choosing safe curves for elliptic-curve cryptography. (2013). (Technical Background). Retrieved from http://safecurves.cr.yp.to/rigid.html

Schneier, B. (2013). The NSA Is Breaking Most Encryption on the Internet (Blog: Schneier on Security). Retrieved from https://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html

Yarom, Y., & Falkner, K. (2013). Flush+ Reload: a high resolution, low noise, L3 cache side-channel attack. Cryptology ePrint Archive, Report 2013/448, 2013. http://eprint. iacr. org/2013/448/. 3. Retrieved from http://eprint.iacr.org/2013/448.pdf

Index


1. An easy to read yet very insightful recent example is the "FLUSH+RELOAD" technique for leaking cryptographic keys from one virtual machine to another via L3 cache timing attacks. (xref:bibliography-default-yarom2013flush[Yarom & Falkner, 2013
2. Interested readers are referred to https://bugzilla.mozilla.org/show_bug.cgi?id=647959 or http://www.h-online.com/security/news/item/Honest-Achmed-asks-for-trust-1231314.html which brings the problem of trusting PKIs right to the point
3. http://www.wired.com/opinion/2013/10/how-to-design-and-defend-against-the-perfect-backdoor/
4. https://www.mail-archive.com/openssl-dev@openssl.org/msg33405.html
5. https://bugzilla.mindrot.org/show_bug.cgi?id=1647
6. https://www.dovecot.org/doc/NEWS-2.2
7. https://hg.dovecot.org/dovecot-2.2/rev/43ab5abeb8f0
8. https://www.cisco.com/c/dam/en/us/td/docs/security/esa/esa9-5/ESA_9-5_Release_Notes.pdf, Changed Behaviour, page 4
9. 64 possible values = 6 bits
10. RFC6379 , RFC4308 
11. http://ikecrack.sourceforge.net/
12. https://sweet32.info/
13. https://sweet32.info/#impact
14. https://community.openvpn.net/openvpn/ticket/304
15. http://technet.microsoft.com/en-us/security/advisory/2743314
16. https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/
17. Early versions seem to have a few bugs - although officially supported, it did not work in tests with version 15.06. Version 16.01 is confirmed to work.
18. https://docs.ejabberd.im
19. IRC-Netze - Top 10 im Jahresvergleich
20. named old-des3-cbc-sha1
21. alias des3-cbc-sha1, des3-hmac-sha1
22. since 7, Server 2008R2
23. since 1.9
24. since 1.9
25. https://nikmav.blogspot.com/2011/12/price-to-pay-for-perfect-forward.html
26. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r4.pdf, page 51
27. https://arstechnica.com/security/2013/10/a-relatively-easy-to-understand-primer-on-elliptic-curve-cryptography
28. https://www.imperialviolet.org/2010/12/04/ecc.html
29. http://www.isg.rhul.ac.uk/~sdg/ecc.html
30. https://www.nist.gov
31. http://crypto.stackexchange.com/questions/1963/how-large-should-a-diffie-hellman-p-be
32. https://www.bettercrypto.org/static/dhparams/
33. https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
34. Thus, it might be useful for fixing HTTPS mixed-content related errors, see https://community.qualys.com/blogs/securitylabs/2014/03/19/https-mixed-content-still-the-easiest-way-to-break-ssl.
35. Website must load without SSL/TLS browser warnings (certificate is issued by a trusted CA, contains correct DNS name, it is time valid, etc.).
36. List of the preloaded sites can be found at https://www.chromium.org/hsts. This list is managed by Google/Chrome, but it is also used by Firefox https://wiki.mozilla.org/Privacy/Features/HSTS_Preload_List
37. https://caniuse.com/stricttransportsecurity
38. see Public Key Infrastructures
39. see https://blog.chromium.org/2011/06/new-chromium-security-features-june.html
40. https://tools.ietf.org/html/rfc7469\#section-3
41. https://caniuse.com/\#feat=publickeypinning
42. e.g., all the REFEDS folks (https://refeds.org/), including InCommon (http://www.incommon.org/federation/metadata.html https://wiki.shibboleth.net/confluence/display/SHIB2/TrustManagement)
43. https://lists.cert.at/pipermail/ach/2014-May/001422.html
44. https://lists.cert.at/pipermail/ach/2014-November/001626.html