disabling certain ciphers

[Darren Pilgrim]

On 12/2/2014 8:38 AM, Reindl Harald wrote:
>
>
> Am 02.12.2014 um 17:33 schrieb Darren Pilgrim:
>> On 12/2/2014 1:32 AM, Reindl Harald wrote:
>>>>> ssl_cipher_list = HIGH:!RC4:!MD5:!SRP:!PSK:!aNULL:@STRENGTH
>>>>> ssl_dh_parameters_length = 2048
>>>>> ssl_parameters_regenerate = 0
>>>>> ssl_protocols = !SSLv2 !SSLv3 TLSv1 TLSv1.1 TLSv1.2
>>>>
>>>> But why does ssl_protocols behave differently depending on if
>>>> $ssl_cipher_list is defined? Shouldn't !SSLv2 and !SSLv3 be sufficient?
>>>>
>>>> It seems that if ssl_cipher_list is defined,
>>>> ssl_protocols = !SSLv2 !SSLv3
>>>>
>>>> results in TLS1.2 being the only one active, but if it is defined, 1.0,
>>>> 1.1, and 1.2 are all active?
>>>
>>> ssl_protocols = !SSLv2 !SSLv3
>>>
>>> and you are fine, aynthing else is nonsense because when TLSv1.3 will be
>>> released you go to each and every server to add it to the config? likely
>>> not!
>>
>> Configuration management. :)
>
> mis-management is the right word for disable future procotols

It wouldn't.  As you've pointed out, you don't have to explicitly enable 
TLSv1.0+.  That's because they're (now) enabled by default.  There was a 
period of time when TLSv1.1 and TLSv1.2 weren't enabled by default. 
There are also some softwares that don't do the SSL setup correctly 
without explicit protocol lists.  It's easier to be uniformly explicit 
everywhere.  I'd rather be needlessly explicit than have a security 
failure due to incorrectly assuming an implicit behaviour.

>> Also, no, you need to do more than just disable SSLv3.  You need to
>> disable several cipher groups allowed in TLSv1.0 and TLSv1.1, bump up
>> the DH parameter size, and, if your client base allows it, only allow
>> ciphers with forward secrecy
>
> i *only* referred to "ssl_protocols" and not to ciphers

Sorry, that wasn't obvious to me.

> that below are sane settings supporting older Outlooks only talking
> RC4/DES but prefer a specific order for other clients
>
> ssl_protocols = !SSLv2 !SSLv3
> ssl_prefer_server_ciphers = yes
> ssl_options = no_compression
> ssl_cipher_list =
[really long cipherspec snipped]

A student of Mozilla's security policies, I see. ;)

You really only need TLSv1 3DES without PFS for Outlook on Windows 
XP/2003.  Outlook on later Windows will do TLSv1 DHE-AES.  Older Android 
devices will need TLSv1 AES128 without PFS.  The minimum would therefore be:

HIGH+kEECDH:HIGH+kEDH:-3DES:AES128-SHA:DES-CBC3-SHA:!aNULL:@STRENGTH

Supporting other older ciphers may support ancient Android, IOS, MacOS 
and Thunderbird clients, but IME AES128-SHA and DES-CBC3-SHA are all you 
need for a realistic userbase of old software.