Oct 222014

Poodle by Heather Hales

In my previous post Forward Secrecy Encryption for Apache, I’ve described an Apache SSLCipherSuite setup to support forward secrecy which allowed TLS 1.0 and up, avoided SSLv2 but included SSLv3.

With the new PODDLE attack (Padding Oracle On Downgraded Legacy Encryption), SSLv3 (and earlier versions) should generally be avoided. Which means the cipher configurations discussed previously need to be updated.

I’ll first recap the configuration requirements:

  • Use Perfect Forward Secrecy where possible.
  • Prefer known strong ciphers.
  • Avoid RC4, CRIME, BREACH and POODLE attacks.
  • Support browsing down to Windows XP.
  • Enable HSTS as a bonus.

The Windows XP point is a bit tricky, since IE6 as shipped with XP originally only supports SSLv3, but later service packs brought IE8 which at least supports TLS 1.0 with 3DES.

Here’s the updated configuration:

SSLEngine On
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder on
# Prefer PFS, allow TLS, avoid SSL, for IE8 on XP still allow 3DES
# Prevent CRIME/BREACH compression attacks
SSLCompression Off
# Commit to HTTPS only traffic for at least 180 days
Header add Strict-Transport-Security "max-age=15552000"

Last but not least, I have to recommend www.ssllabs.com again, which is a great resource to test SSL/TLS setups. In the ssllabs, the above configuration yields an A-rating for testbit.eu.

UPDATE: The above configuration also secures HTTPS connections against the FREAK (CVE-2015-0204) attack, as can be tested with the following snippet:

openssl s_client -connect testbit.eu:443 -cipher EXPORT

Connection attempts to secure sites should result in a handshake failure.

UPDATE: Meanwhile, the Mozilla Foundation provides a webserver configuration generator that almost guarantees an A+ rating on ssllabs: Generate Mozilla Security Recommended Web Server Configuration Files.

  12 Responses to “Apache SSLCipherSuite without POODLE”

  1. Very helpful ! can confirm this worked with the 64Bits version of OpenSSL with Apache 2.4 on Windows Server 2008 R2- Thank you !

  2. EXACTLY what I was looking for, thank you Sir!

  3. You would have got a+ if your certificate was sha256withrsa instead of sha1withrsa, anyway well done.

    • Yes indeed. In as little as 2 months, the startssl certificate for testbit.eu will need renewal and at that point we’ll also upgrade the hash.

      • Hi, you still have the sha1 Class 1 certificate. If you dig around on the startssl website (or forums), you can also find the sha256 version (the pem file they have is broken, you have to convert the dem version which is rather simple). No change to your certificate is needed, all you have to do is update the chain.

  4. Why so complicated? The following configuration also gives an A-Rating without naming every cipher explicitly:

    SSLProtocol All -SSLv2 -SSLv3
    SSLHonorCipherOrder on

    • HIGH doesn’t allways give precedence to PFS (ephemeral session keys) and my configuration uses !MEDIUM do disable lesser secure cyphers. I.e. “+HIGH:+MEDIUM” unnecessarily enables insecure/broken sessions.

  5. Thanks! This article was very helpful and saved me many hours of digging and experimentation.

  6. If anyone gets into an error with adding headers you might need to run: “sudo a2enmod headers” to allow apache to add headers

  7. Thanks!!

  8. Hi buddy, your blog’ s design is simple and clean and i like it. Your blog posts about Online writing Help are superb. Please keep them coming. Greets!
    XBox Launch in Korea Case Solution

  9. Well, nothing I can say but great! I hope you’ll make more useful articles in the upcoming days.

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>