You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Yann Ylavic <yl...@gmail.com> on 2015/05/05 09:47:05 UTC
Re: svn commit: r1677721 - /httpd/httpd/branches/2.2.x/docs/conf/extra/httpd-ssl.conf.in
On Tue, May 5, 2015 at 3:19 AM, <wr...@apache.org> wrote:
> Author: wrowe
> Date: Tue May 5 01:19:20 2015
> New Revision: 1677721
>
> URL: http://svn.apache.org/r1677721
[]
> Modified: httpd/httpd/branches/2.2.x/docs/conf/extra/httpd-ssl.conf.in
> URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/docs/conf/extra/httpd-ssl.conf.in?rev=1677721&r1=1677720&r2=1677721&view=diff
> ==============================================================================
> --- httpd/httpd/branches/2.2.x/docs/conf/extra/httpd-ssl.conf.in (original)
> +++ httpd/httpd/branches/2.2.x/docs/conf/extra/httpd-ssl.conf.in Tue May 5 01:19:20 2015
> @@ -49,6 +49,24 @@ Listen @@SSLPort@@
[]
> +# SSL Cipher Suite:
> +# List the ciphers that the client is permitted to negotiate.
> +# See the mod_ssl documentation for a complete list.
> +SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
> +
> +# Speed-optimized SSL Cipher configuration:
> +# If speed is your main concern (on busy HTTPS servers e.g.),
> +# you might want to force clients to specific, performance
> +# optimized ciphers. In this case, prepend those ciphers
> +# to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
> +# Caveat: by giving precedence to RC4-SHA and AES128-SHA
> +# (as in the example below), most connections will no longer
> +# have perfect forward secrecy - if the server's key is
> +# compromised, captures of past or future traffic must be
> +# considered compromised, too.
> +#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
There possibly should be ":!EXP" in both suites above.
Also I'd suggest removing RC4 from the latter suite, it is not
considered secure ([1]), and maybe replace it with "AES128-SHA256"
(both secure and fast with SNI).
Ideally, we probably should merge r1526168 and r1527291 from trunk.
[1] http://www.isg.rhul.ac.uk/tls/
Re: svn commit: r1677721 - /httpd/httpd/branches/2.2.x/docs/conf/extra/httpd-ssl.conf.in
Posted by Yann Ylavic <yl...@gmail.com>.
On Tue, May 5, 2015 at 7:28 PM, William A Rowe Jr <wr...@rowe-clan.net> wrote:
>
> Was hoping for md4 vs. aes128 comparisons, (and AES-NI isn't everywhere,
> but will be, soon enough).
On my box with AES-NI disabled:
$ openssl speed aes-128-cbc
Doing aes-128 cbc for 3s on 16 size blocks: 14536333 aes-128 cbc's in 3.00s
Doing aes-128 cbc for 3s on 64 size blocks: 3914941 aes-128 cbc's in 3.00s
Doing aes-128 cbc for 3s on 256 size blocks: 998659 aes-128 cbc's in 3.00s
Doing aes-128 cbc for 3s on 1024 size blocks: 250825 aes-128 cbc's in 3.01s
Doing aes-128 cbc for 3s on 8192 size blocks: 31488 aes-128 cbc's in 3.00s
OpenSSL 1.0.1e-fips 11 Feb 2013
built on: Thu Oct 16 15:38:47 UTC 2014
options:bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int)
aes(partial) idea(int) blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS
-D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN
-DTERMIO -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
-fstack-protector-strong --param=ssp-buffer-size=4
-grecord-gcc-switches -m64 -mtune=generic -Wa,--noexecstack -DPURIFY
-DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5
-DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM
-DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
aes-128 cbc 77527.11k 83518.74k 85218.90k 85330.50k 85983.23k
Same box, with AES-NI enabled:
$ openssl speed -evp aes-128-cbc
Doing aes-128-cbc for 3s on 16 size blocks: 115446037 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 64 size blocks: 31613460 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 256 size blocks: 8096806 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 1024 size blocks: 2036515 aes-128-cbc's in 3.01s
Doing aes-128-cbc for 3s on 8192 size blocks: 254238 aes-128-cbc's in 3.00s
OpenSSL 1.0.1e-fips 11 Feb 2013
built on: Thu Oct 16 15:38:47 UTC 2014
options:bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int)
aes(partial) idea(int) blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS
-D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN
-DTERMIO -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
-fstack-protector-strong --param=ssp-buffer-size=4
-grecord-gcc-switches -m64 -mtune=generic -Wa,--noexecstack -DPURIFY
-DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5
-DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM
-DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
aes-128-cbc 615712.20k 674420.48k 690927.45k 692821.05k 694239.23k
Same box, RC4:
$ openssl speed rc4
Doing rc4 for 3s on 16 size blocks: 43771347 rc4's in 3.00s
Doing rc4 for 3s on 64 size blocks: 20474427 rc4's in 3.00s
Doing rc4 for 3s on 256 size blocks: 6568097 rc4's in 3.00s
Doing rc4 for 3s on 1024 size blocks: 1780486 rc4's in 3.00s
Doing rc4 for 3s on 8192 size blocks: 229652 rc4's in 3.01s
OpenSSL 1.0.1e-fips 11 Feb 2013
built on: Thu Oct 16 15:38:47 UTC 2014
options:bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int)
aes(partial) idea(int) blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS
-D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN
-DTERMIO -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
-fstack-protector-strong --param=ssp-buffer-size=4
-grecord-gcc-switches -m64 -mtune=generic -Wa,--noexecstack -DPURIFY
-DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5
-DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM
-DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
rc4 233447.18k 436787.78k 560477.61k 607739.22k 625019.66k
Re: svn commit: r1677721 - /httpd/httpd/branches/2.2.x/docs/conf/extra/httpd-ssl.conf.in
Posted by William A Rowe Jr <wr...@rowe-clan.net>.
On Tue, May 5, 2015 at 12:35 PM, Eric Covener <co...@gmail.com> wrote:
> On Tue, May 5, 2015 at 1:28 PM, William A Rowe Jr <wr...@rowe-clan.net>
> wrote:
> > Was hoping for md4 vs. aes128 comparisons, (and AES-NI isn't everywhere,
> > but will be, soon enough).
> >
> > While I agree md4 is less desirable, if we were going to make a
> > recommendation,
> > I'd go with favoring aes128 over md4 but retain md4 as a backup, in
> forced
> > server
> > preference. And label this a known-insecure configuration.
>
> Do you mean RC4? I think the conventional wisdom (of the moment) is
> to remove RC4 completely.
>
Yes - sorry. I suggest we remove the 'optimized' example altogether, and
will go ahead with that if nobody objects. We obviously don't keep up. I
will also duplicate the SSLCipherList to SSLProxyCipherList (all examples
are now in global scope).
I propose we replace the 'optimized' example with the following;
# Effective 2017, only TLSv1.2 ciphers should be in use.
# Older ciphers should be disallowed as soon as possible, however
# much older clients such as IE6 SP2 on XP may still be in use.
# Replace the SSLCipherSuite and SSLProxyCipherSuite directives
# above with these directives to restrict mod_ssl to TLSv1.2 ciphers
# as soon as this is practical.
# SSLCipherSuite TLSv1.2:!eNULL
# SSLProxyCipherSuite TLSv1.2:!eNULL
Thoughts?
Re: svn commit: r1677721 - /httpd/httpd/branches/2.2.x/docs/conf/extra/httpd-ssl.conf.in
Posted by Eric Covener <co...@gmail.com>.
On Tue, May 5, 2015 at 1:28 PM, William A Rowe Jr <wr...@rowe-clan.net> wrote:
> Was hoping for md4 vs. aes128 comparisons, (and AES-NI isn't everywhere,
> but will be, soon enough).
>
> While I agree md4 is less desirable, if we were going to make a
> recommendation,
> I'd go with favoring aes128 over md4 but retain md4 as a backup, in forced
> server
> preference. And label this a known-insecure configuration.
Do you mean RC4? I think the conventional wisdom (of the moment) is
to remove RC4 completely.
--
Eric Covener
covener@gmail.com
Re: svn commit: r1677721 - /httpd/httpd/branches/2.2.x/docs/conf/extra/httpd-ssl.conf.in
Posted by William A Rowe Jr <wr...@rowe-clan.net>.
On Tue, May 5, 2015 at 12:06 PM, Yann Ylavic <yl...@gmail.com> wrote:
> On Tue, May 5, 2015 at 6:26 PM, William A Rowe Jr <wr...@rowe-clan.net>
> wrote:
> > On Tue, May 5, 2015 at 2:47 AM, Yann Ylavic <yl...@gmail.com>
> wrote:
> >> On Tue, May 5, 2015 at 3:19 AM, <wr...@apache.org> wrote:
> >>
> >> Also I'd suggest removing RC4 from the latter suite, it is not
> >> considered secure ([1]), and maybe replace it with "AES128-SHA256"
> >> (both secure and fast with SNI).
>
> Hmm, I meant AES-NI here (the CPU builtin instruction set), not SNI of
> course :p
>
> >>
> >> [1] http://www.isg.rhul.ac.uk/tls/
> >
> > It's branded as less secure as things stand. I'd be happy if we ripped
> that
> > example from all 2.2/2.4/trunk branches.
> >
> > That said, if you want to retain it, do you have benchmarks to point us
> at?
>
> E.g.
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-Encryption-OpenSSL_Intel_AES-NI_Engine.html
Was hoping for md4 vs. aes128 comparisons, (and AES-NI isn't everywhere,
but will be, soon enough).
While I agree md4 is less desirable, if we were going to make a
recommendation,
I'd go with favoring aes128 over md4 but retain md4 as a backup, in forced
server
preference. And label this a known-insecure configuration.
Re: svn commit: r1677721 - /httpd/httpd/branches/2.2.x/docs/conf/extra/httpd-ssl.conf.in
Posted by Yann Ylavic <yl...@gmail.com>.
On Tue, May 5, 2015 at 6:26 PM, William A Rowe Jr <wr...@rowe-clan.net> wrote:
> On Tue, May 5, 2015 at 2:47 AM, Yann Ylavic <yl...@gmail.com> wrote:
>> On Tue, May 5, 2015 at 3:19 AM, <wr...@apache.org> wrote:
>
>>> +SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
>
>>> +#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
>
>> There possibly should be ":!EXP" in both suites above.
>
> Why? To make it more wordy? Strongly -1, this is why too many users get
> their cipherlists wrong, they change one thing in an overly complex
> expression already. EXP is classified LOW, already excluded above.
Sorry my bad, I read this as "ALL:+HIGH:+MEDIUM"...
>
> Note that this was not an editorial commit, it was a scope change that was
> buried hidden from the 2.4 commit log. This simply brings 2.2 in line with
> 2.4 and trunk.
>
>> Also I'd suggest removing RC4 from the latter suite, it is not
>> considered secure ([1]), and maybe replace it with "AES128-SHA256"
>> (both secure and fast with SNI).
Hmm, I meant AES-NI here (the CPU builtin instruction set), not SNI of course :p
>>
>> [1] http://www.isg.rhul.ac.uk/tls/
>
> It's branded as less secure as things stand. I'd be happy if we ripped that
> example from all 2.2/2.4/trunk branches.
>
> That said, if you want to retain it, do you have benchmarks to point us at?
E.g. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-Encryption-OpenSSL_Intel_AES-NI_Engine.html
>
>> Ideally, we probably should merge r1526168 and r1527291 from trunk.
>
> Happy to consider such a proposal.
>
I'm working on it, thanks.
Re: svn commit: r1677721 - /httpd/httpd/branches/2.2.x/docs/conf/extra/httpd-ssl.conf.in
Posted by William A Rowe Jr <wr...@rowe-clan.net>.
On Tue, May 5, 2015 at 11:26 AM, William A Rowe Jr <wr...@rowe-clan.net>
wrote:
>
> openssl ciphers -v 'ALL:!HIGH:!MEDIUM' | grep exp
>
After further scrutiny...
openssl ciphers -v 'ALL:!HIGH:!MEDIUM:!LOW' | grep exp
export falls under 'none of the above'.
Re: svn commit: r1677721 - /httpd/httpd/branches/2.2.x/docs/conf/extra/httpd-ssl.conf.in
Posted by William A Rowe Jr <wr...@rowe-clan.net>.
On Tue, May 5, 2015 at 2:47 AM, Yann Ylavic <yl...@gmail.com> wrote:
> On Tue, May 5, 2015 at 3:19 AM, <wr...@apache.org> wrote:
>> Author: wrowe
>> Date: Tue May 5 01:19:20 2015
>> New Revision: 1677721
>>
>> URL: http://svn.apache.org/r1677721
> []
>> Modified: httpd/httpd/branches/2.2.x/docs/conf/extra/httpd-ssl.conf.in
>> URL:
http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/docs/conf/extra/httpd-ssl.conf.in?rev=1677721&r1=1677720&r2=1677721&view=diff
>>
==============================================================================
>> --- httpd/httpd/branches/2.2.x/docs/conf/extra/httpd-ssl.conf.in
(original)
>> +++ httpd/httpd/branches/2.2.x/docs/conf/extra/httpd-ssl.conf.in Tue May
5 01:19:20 2015
>> +SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
>> +#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
> There possibly should be ":!EXP" in both suites above.
Why? To make it more wordy? Strongly -1, this is why too many users get
their cipherlists wrong, they change one thing in an overly complex
expression already. EXP is classified LOW, already excluded above.
openssl ciphers 'cipherlist'
with and optional -v arg will show you the resulting matchset of any
particular cipher list against the compiled-in ciphers. Therefore...
openssl ciphers -v 'ALL:!HIGH:!MEDIUM' | grep exp
Note that this was not an editorial commit, it was a scope change that was
buried hidden from the 2.4 commit log. This simply brings 2.2 in line with
2.4 and trunk.
> Also I'd suggest removing RC4 from the latter suite, it is not
> considered secure ([1]), and maybe replace it with "AES128-SHA256"
> (both secure and fast with SNI).
>
> [1] http://www.isg.rhul.ac.uk/tls/
It's branded as less secure as things stand. I'd be happy if we ripped
that example from all 2.2/2.4/trunk branches.
That said, if you want to retain it, do you have benchmarks to point us at?
> Ideally, we probably should merge r1526168 and r1527291 from trunk.
Happy to consider such a proposal.