freeipa

FreeIPA is an integrated Identity and Authentication solution for Linux/UNIX networked environments.  |  http://www.freeipa.org/

#5589 Update the default mod_nss cipher suite

Created 2 years ago by mkosek
Modified 2 years ago

As [discussed on freeipa-devel], the default mod_nss cipher suite is getting obsolete and http://www.redhat.com/archives/freeipa-devel/2016-January/msg00095.html cause browser warnings or bad marks in SSL certificate quality test suites.

#4431 mentions updating the cipher suite, but that is a bigger task that may not be done in the next release. It would be better to simply update the cipher suite list (like we did with 389-ds-base in #4395) in nss.conf.

Alexander gets an A- from SSLLabs using this configuration:

NSSCipherSuite
-rsa_rc4_128_md5,-rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha

NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2

Held back due to lack of PFS but adding some EC ciphers will address that.

I've written a small Python script that parses mod_nss' cipher definition and returns a NSSCipherSuite based on some rules. The script rules out weak cipher suites with e.g. MD5, RC4, export grade encryption and NULL encryption/authentication.

With the settings:

NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2

NSSCipherSuite +aes_128_sha_256,+aes_256_sha_256,+ecdh_ecdsa_3des_sha,+ecdh_ecdsa_aes_128_sha,+ecdh_ecdsa_aes_256_sha,
+ecdh_rsa_3des_sha,+ecdh_rsa_aes_128_sha,+ecdh_rsa_aes_256_sha,+ecdhe_ecdsa_3des_sha,
+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_128_sha_256,
+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_ecdsa_aes_256_sha_384,
+ecdhe_rsa_3des_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_128_sha_256,
+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+ecdhe_rsa_aes_256_sha_384,+fips_3des_sha,
+rsa_3des_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha

sslscan shows these accepted cipher suites and protocols:

    Accepted  TLSv1  256 bits  ECDHE-RSA-AES256-SHA
    Accepted  TLSv1  256 bits  AES256-SHA
    Accepted  TLSv1  128 bits  ECDHE-RSA-AES128-SHA
    Accepted  TLSv1  128 bits  AES128-SHA
    Accepted  TLSv1  112 bits  ECDHE-RSA-DES-CBC3-SHA
    Accepted  TLSv1  112 bits  DES-CBC3-SHA
    Accepted  TLS11  256 bits  ECDHE-RSA-AES256-SHA
    Accepted  TLS11  256 bits  AES256-SHA
    Accepted  TLS11  128 bits  ECDHE-RSA-AES128-SHA
    Accepted  TLS11  128 bits  AES128-SHA
    Accepted  TLS11  112 bits  ECDHE-RSA-DES-CBC3-SHA
    Accepted  TLS11  112 bits  DES-CBC3-SHA
    Accepted  TLS12  256 bits  ECDHE-RSA-AES256-SHA
    Accepted  TLS12  256 bits  AES256-SHA256
    Accepted  TLS12  256 bits  AES256-SHA
    Accepted  TLS12  128 bits  ECDHE-RSA-AES128-GCM-SHA256
    Accepted  TLS12  128 bits  ECDHE-RSA-AES128-SHA256
    Accepted  TLS12  128 bits  ECDHE-RSA-AES128-SHA
    Accepted  TLS12  128 bits  AES128-GCM-SHA256
    Accepted  TLS12  128 bits  AES128-SHA256
    Accepted  TLS12  128 bits  AES128-SHA
    Accepted  TLS12  112 bits  ECDHE-RSA-DES-CBC3-SHA
    Accepted  TLS12  112 bits  DES-CBC3-SHA

DES-CBC3 is 3DES in CBC mode.

All ciphers are disabled by default so you shouldn't need to mark any ciphers as removed (-) unless you just want to be clear.

Good to know, Rob! I've removed -ciphers from the list.

I've tested two cipher strings with SSLLabs.com. Both give an 'A' grade. The first one contains 3DES, the second one AES-only. Without 3DES, IE8 on XP is not supported. In both cases neither IE 6 / XP nor Safari 5.1.9 / OS X 10.6.8 are able to establish a connection.

NSSCipherSuite +aes_128_sha_256,+aes_256_sha_256,+ecdh_ecdsa_3des_sha,+ecdh_ecdsa_aes_128_sha,+ecdh_ecdsa_aes_256_sha,+ecdh_rsa_3des_sha,+ecdh_rsa_aes_128_sha,+ecdh_rsa_aes_256_sha,+ecdhe_ecdsa_3des_sha,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_128_sha_256,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_ecdsa_aes_256_sha_384,+ecdhe_rsa_3des_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_128_sha_256,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+ecdhe_rsa_aes_256_sha_384,+fips_3des_sha,+rsa_3des_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha



NSSCipherSuite +aes_128_sha_256,+aes_256_sha_256,+ecdh_ecdsa_aes_128_sha,+ecdh_ecdsa_aes_256_sha,+ecdh_rsa_aes_128_sha,+ecdh_rsa_aes_256_sha,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_128_sha_256,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_ecdsa_aes_256_sha_384,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_128_sha_256,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+ecdhe_rsa_aes_256_sha_384,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha

The test also points to two minor issues:

  • Chain issues: Contains anchor
  • Session resumption (caching) No (IDs assigned but not accepted)

We send the trust anchor together with the intermediate and leave cert.

I got some feedback from Hubert Kario. He pointed out that my list contains a couple of unnecessary suites. DH key agreement with fixed parameters isn't used by browsers. AES-CBC with large hash functions are slow and don't have increased security, e.g. AES-256 in CBC mode with SHA-384 as PRF for HMAC.

I'm now down to 14 cipher suites with and without PFS, all combinations of RSA or ephemeral ECDH for key agreement, RSA or ECDSA for authentication, AES (128/256 in GCM or CBC mode) for encryption and SHA-1, SHA-256 or SHA-384 as PRF. Without 3DES there is no cipher suite compatible with IE8 on Windows XP.

  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_256_CBC_SHA

    NSSCipherSuite +aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha

The new script contains more detailed comments on algorithm selection and eviction.

Be aware that the SHA384 ciphers are not available on all distros. An unknown cipher will not cause mod_nss to fail at server start but it will log the failure.

I have posted [PATCH 0030] Modernize mod_nss's cipher suites.

This change should be release noted in the next release notes, at minimum given we stopped supporting Internet Explorer 8.

Just for the record, on https://en.wikipedia.org/wiki/Internet_Explorer_8, I read:

On January 12, 2016, support for IE8 on all supported Windows operating systems ceased, due to new support policies dictating that only the newest version of IE available for a supported version of Windows is supported. Only Internet Explorer 11 is be supported, except for Windows Vista and Windows Server 2008, where only Internet Explorer 9 is supported, and Windows Server 2012, where only Internet Explorer 10 is supported.

More official information: https://blogs.msdn.microsoft.com/ie/2014/08/07/stay-up-to-date-with-internet-explorer/

master:

  • 5ac3a3c Modernize mod_nss's cipher suites

ipa-4-3:

  • c3496a4 Modernize mod_nss's cipher suites
2 years ago

Metadata Update from @mkosek:
- Issue assigned to cheimes
- Issue set to the milestone: FreeIPA 4.3.1

Login to comment on this ticket.

defect

IPA

1

todo

FreeIPA cipher suite for the Web user interface and API was updated to match modern requirements. RC4 and 3DES based cipher suites are no longer supported. Some of the obsolete browsers may no longer work with the FreeIPA Web UI.

cancel