Nginx Cipher Suites

Giles Orr

Toronto Public Library

S5 Slide Show

  • the print view will show you not only the contents of all slides, but also the speaker notes
  • some of the speaker notes are simply for me, speaking to the audience - but much of it is elaboration on points made in the slides

Securing Your Web Server

  • who here is directly or indirectly responsible for the running of a webserver?
  • Let's Encrypt being free means that there's no longer a financial reason not to encrypt your website ...
  • and when you add in Google's move to down-rank non-encrypted sites ... there are a lot of reasons to encrypt ASAP
  • whatever certificate authority you use, research them: make sure they're not deprecated or rejected by browsers

SSL and TLS

  • the POODLE attack invalidated SSL3 completely in 2014
  • you should support TLS 1.2, 1.1, and 1.0 in that order of preference
  • TLS 1.3 only became an official standard in April 2018, and isn't properly supported by OpenSSL on Linux yet, which means ... it's not supported in any practical way yet

Your Web Server Configuration

  • people are always trying to break cipher suites - both "white hats" (legitimate security researchers) and "black hats" (bad actors)
  • a good example is RC4: it was formative in cryptography and the web, but is now quite broken

The Line

ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:!RC4:!3DES:!DES:!MD5:!PSK:!SRP:!DSS;

  • as you can see - it is not your friend, and trying to understand it is a rabbit hole full of pain
  • the structure is incredibly basic: a colon-separated list of cipher suites you want your server to use, terminating in a semi-colon
  • every one of those acronyms should be researched

The Easy Way

  • I recommend doing your own cipher suite research, but using Mozilla's configuration generator is an option if you don't have the time right now
  • "Modern" supports only very recent browsers - it's definitely more secure, but could lock out some of your users
  • there are a number of sites to test your SSL/TLS configuration: I like Qualys best as it seems both most thorough and easiest to read of the ones I've seen
  • and keep in mind that a configuration that's up-to-date and drawing an "A" score should be tested every couple months as those ciphers keep being broken and a winning config now can be invalidated by a research paper next month
  • you MUST stay on top of it

Cipher Suite Breakdown

ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE - Elliptic-Curve Diffie-Hellman, Ephemeral keys
  • ECDSA - Elliptic Curve Digital Signature Algorithm
  • AES128 - Advanced Encryption Standard followed by a key size
  • GCM - Galois/Counter Mode
  • SHA256 - Secure Hash Algorithm, followed by a key size

Don't Use

  • again, which ones you block are a matter of research ...

Algorithms and Ciphers (Reference)

What You Need to Know

Code4Lib Results 2018-05-10

code4lib.org got an F in April 2018 on the Qualys test
  • Yes, I did try to notify them a couple weeks ago prior to publicly presenting this
  • the site doesn't involve e-commerce, but could involve personal information
  • I found this because I set Firefox to not accept SSLv2 or SSLv3
  • Firefox - about:config - security.tls.version.min - set to "2" (sets the minimum SSL to TLS 1.1)
  • A more complete explanation: http://kb.mozillazine.org/Security.tls.version.*#Possible_values_and_their_effects
  • Note that when you visit a site that only supports SSLv2 or v3, Firefox assumes you're wrong and asks if you want to reset to sane values: your call, but I'm sticking with my paranoia

Code4Lib, Improved (2018-06-12)

code4lib.org gets a C in June 2018 on the Qualys test
  • presenting the problem at a Code4Lib conference got their attention ...

Never Look Behind the Curtain

The Keisei (Japanese train company) site gets an F on the Qualys test, June 2018
  • I was in Japan, and now I test any site that wants my credit card ... in this case, I bought in person

Conclusion

  • never could get OCSP ("Online Certificate Status Protocol") stapling working
  • with cloud VMs, the instinct is to wipe and re-spin machines at the drop of a hat, and if you're using Let's Encrypt certificates, this is very easy ... but if you wipe the VM and spin up a new one with a new certificate, HSTS breaks VERY ugly, so hold-and-copy your old certs