Apache SSL Cipher Suites: Perfect Forward Secrecy

I was interested to tune my https sites with Apache to support only cipher suites that use the ephemeral Diffie-Hellman key exchange = perfect forward secrecy. But after searching a while through the Internet, only SSLCipherSuite with a few concrete algorithms were presented, while I wanted to use a more generic option such as known from “!MD5”. Here it is:

For a basic understanding, please read those articles: At a Glance – Perfect Forward Secrecy (PFS), Apache documentation SSLCipherSuite Directive, Mozilla Wiki Security/Server Side TLS.

Security (not backward compatibility)

I wanted to use cipher suites with only ephemeral Diffie-Hellman key exchange. (Note that the DH exchange without ephemeral does NOT provide perfect forward secrecy!) Furthermore, I only wanted to use strong ciphers, i.e., AES, and only strong hash algorithms, i.e., not MD5. I was not interested in supporting every old Internet Explorer, and so on. I focused merely on security.

–> This is the Cipher Suite I am using for all my Apache servers:

That is:

  • All suites under the HIGH classification
  • But without the key exchange algorithms of RSA, DH with RSA key, DH with DSA key, and Secure Remote Password (refer to SSLCipherSuite Directive). –> Only ephemeral Diffie-Hellman!
  • No NULL authentication
  • No 3DES
  • No MD5

(Additional, I am always disabling the SSLv3 protocol on all installations:
SSLProtocol all -SSLv3 .)

List of Cipher Suites

OpenSSL can list the selected cipher suites (-v option). Here is my list:

 

Handshake Simulation

And as always, I am using the SSL Server Test from Qualys SSL Labs at https://www.ssllabs.com/ssltest/. With my presented Cipher Suites, this looks like the following (20. October 2014):

2014-10-20 12_20_56-Qualys SSL Labs - Projects _ SSL Server Test

That is: Some old browsers are not supported. But I don’t care since I am not earning money with my servers. I was merely interested in the green “FS” results. ;)

Featured image “One feather” by Thomas Quine is licensed under CC BY 2.0.

One thought on “Apache SSL Cipher Suites: Perfect Forward Secrecy

  1. Hello!
    I’ve used my PA + Apache (SSL) with grade “A” until a few weeks ago.
    Today SslLabs report this:

    “This server does not support Forward Secrecy with the reference browsers. Grade capped to B. ”
    ======================
    Protocols:
    TLS 1.3 No
    TLS 1.2 Yes
    TLS 1.1 Yes
    TLS 1.0 Yes
    SSL 3 No
    SSL 2 No

    Cipher Suites
    # TLS 1.2 (server has no preference)
    TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) WEAK 112
    TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) WEAK 128
    TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) WEAK 128
    TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) WEAK 128
    TLS_RSA_WITH_AES_256_CBC_SHA (0x35) WEAK 256
    TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) WEAK 256
    TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) WEAK 256
    # TLS 1.1 (server has no preference)
    TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) WEAK 112
    TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) WEAK 128
    TLS_RSA_WITH_AES_256_CBC_SHA (0x35) WEAK 256
    # TLS 1.0 (server has no preference)
    TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) WEAK 112
    TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) WEAK 128
    TLS_RSA_WITH_AES_256_CBC_SHA (0x35) WEAK 256

    Protocol Details:
    Forward Secrecy No WEAK (more info)
    ======================

    This is the Apche config:
    —————
    SSLEngine on
    SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
    SSLProtocol all -SSLv2 -SSLv3
    SSLHonorCipherOrder off
    SSLCipherSuite “AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:NULL:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4”
    ————–

    Changing SSLHonorCipherOrder to “on” not solve the problem.
    I think it is also necessary to adapt SSLCipherSuite.

    Have you a feedback about this with the last PAN-OS 8.x ?

    Best regards
    Sim

Leave a Reply

Your email address will not be published. Required fields are marked *