The State of TLS in httpd 2.4. William A. Rowe Jr.

Transcription

1 The State of TLS in httpd 2.4 William A. Rowe Jr.

2 Getting Started Web references have grown stale Web references have grown stale Guidance is changing annually ml?d=svn.apache.org Guidance is changing annually Plain is nearing extinction Plain is nearing extinction

3 Follow Up-to-date Resources Several authors are doing a good job of explaining TLS issues in clear language. Several authors are doing a good job of Ivan Ristić's blog Ivan Ristić's blog Adam Langley's blog Adam Langley's blog

4 Update to Modern Tools OpenSSL provides the necessary TLSv1.2 facilities OpenSSL provides the necessary is now the recommended version is now the recommended version Apache HTTP Server 2.4 connects the dots for OpenSSL features Apache HTTP Server 2.4 connects the revised the suggested mod_ssl configuration files revised the suggested mod_ssl

5 More Reasons introduces ALPN support for http/ introduces ALPN support for http/2 Forward Secrecy, stronger hashes and ECC cryptography all require these updates ures_2_4.html#module Forward Secrecy, stronger hashes and

6 Choose 2? (Or only one?) Confidentiality, performance or compatibility? Confidentiality, performance or Evaluate the scope of confidentially: Evaluate the scope of confidentially: Value? RoI vs Bitcoin mining Trading off for performance Trading off for compatibility

7 Protocols SSLv2 is long dead, SSLv3, and TLSv1.0 are also nearing death, by late 2016 SSLv2 is long dead, SSLv3, and TLSv1.0 TLSv1.2 addresses a spectrum of weaknesses (OpenSSL 1.0.1p is needed to avoid new issues) TLSv1.2 addresses a spectrum of OpenSSL adds new API facilities, especially wildcard SNI handshakes OpenSSL adds new API facilities,

8 Ciphers The Big List (Poor choices are present) openssl ciphers -v The Big List (Poor choices are present) A simplified list (Efficient and Secure) openssl ciphers -v \ 'HIGH:MEDIUM:!aNULL:!MD5' A simplified list (Efficient and Secure)

9 Dictating Priority Teach your server to enforce -your- policy Teach your server to enforce -your- policy _ssl.html#sslhonorcipherorder

10 Disable SSLv3? The Protocol? The Cipher List? The Protocol? The Cipher List? TLSv1.0 -is- SSLv3 in nearly every respect TLSv1.0 -is- SSLv3 in nearly every TLS_FALLBACK_SCSV is the bandaid TLS_FALLBACK_SCSV is the bandaid TLSv1.2 -only- is coming soon TLSv1.2 -only- is coming soon

11 Certs and Keys Hashes in MD5 / SHA1? Hashes in MD5 / SHA1? A better RSA SHA256 hashes A better RSA SHA256 hashes ECDHE-RSA 'just works' with historical RSA certs ECDHE-RSA 'just works' with historical ECDSA certificates offer an more efficient alternative ECDSA certificates offer an more efficient

12 (Perfect?) Forward Secrecy The Goal discontinuity between sessions SSLSessionCacheTimeout [300] The Goal discontinuity between ECDSA keys offer efficiency ECDSA keys offer efficiency ECDH/RSA remains a compromise ECDH/RSA remains a compromise

13 OCSP (and Stapling) Confirming continued validity evolved from revocation lists Confirming continued validity evolved OCSP Failure cases overloaded providers and unroutable traffic OCSP Failure cases overloaded Stapling can improve these issues Stapling can improve these issues Server is subject to the same issues Server is subject to the same issues

14 Graceful Failure SSLStaplingCache shmcb:ocsp( ) SSLStaplingStandardCacheTimeout SSLStaplingErrorCacheTimeout 300 SSLStaplingReturnResponderErrors Off SSLStaplingFakeTryLater off

15 Sessions Cache and considerations Cache and considerations Tickets and considerations Tickets and considerations Spanning the load balancer Spanning the load balancer A common SSLSessionCache A common SSLSessionTicketKeyFile

16 Renegotiation Server initiated Server initiated Client initiated, pre-tlsv1.1 Client initiated, pre-tlsv1.1 Client initiated with TLSv1.1 Client initiated with TLSv1.1 Inherent conflict with multiple streams (HTTP/2) Inherent conflict with multiple streams

17 Under Control The enterprise case; known user agents The enterprise case; known user agents The operations case; peering application servers The operations case; peering application The forward proxy case; all bets are off? The forward proxy case; all bets are off?

18 The Design Conundrums TLS compression Do Not Use TLS compression Do Not Use Encoding: gzip deflate risks Encoding: gzip deflate risks Client-supplied Input Reflection Buried into Cookies, HTTP headers, or form contents Client-supplied Input Reflection

19 Broken Clients The perils of parallel consumers The perils of parallel consumers Sharing SSL Sessions between adversarial parties Sharing SSL Sessions between BREACH is a browser/application hosting defect BREACH is a browser/application hosting

20 Virtual Hosting SNI (Server Name Indication) in httpd 2.4 allows modern clients to share a single IP address for multiple certificates SNI (Server Name Indication) in httpd 2.4 Presented based on the TLS SNI hostname indicated by the client. Presented based on the TLS SNI Old clients still need a wildcard certificate, or a list of AltSubjectNames Old clients still need a wildcard certificate,

21 CA Management Some tools for maintaining CA lists can be found in the openssl tools/ source directory (these are generally not installed by-default in vendor distributions). Some tools for maintaining CA lists can be

22 External Efforts EFF-led HTTPS Everywhere campaign EFF-led HTTPS Everywhere campaign Qualys SSL Labs Test Qualys SSL Labs Test Let's Encrypt multiparty CA effort Let's Encrypt multiparty CA effort

23 Success stories forward-secrecy-and-authenticated- encryption-ciphers secrecy-at-twitter

24 A Never-ending Process (what is coming soon)

25 Questions?