Re: Implementing Encryption with the OWASP Advanced+ Setup
Hello Andrew, Thanks. Does b only allow TLS 1.2? That's the only thing I am wanting, can I get a look at your settings? I'd like to compare yours to mine? Thanks. Dave. On 1/6/19, Andrew Hodgson <andrew@hodgson.io> wrote:
Hi,
As I said I put my settings to the B grade which I think is strong enough without disabling clients. I wouldn't go higher than B when configuring hardening at work in any case.
In terms of the SSL versions I am not talking about OpenSSL version but the version of the TLS protocol you are using, if you are using A+ or A you need to explicitly state only allowing TLS 1.2 and nothing else, if you specify other TLS versions it may mismatch.
Andrew.
-----Original Message----- From: David Mehler <dave.mehler@gmail.com> Sent: 06 January 2019 00:19 To: Blind sysadmins list <blind-sysadmins@lists.hodgsonfamily.org> Subject: [Blind-sysadmins] Re: Implementing Encryption with the OWASP Advanced+ Setup
Hello Andrew,
Thanks for your reply. My openssl version is 1.02q of November 2018. The ciphers I'm using were from the A+ OWASP. Clients are Android 7.1 Aquamail, and IE11.
Andrew, where are you getting your ciphers from? They seem more advanced yours are working, and the article i'm referencing. I'd like to go with A+ or A if doable.
Thanks. Dave.
On 1/5/19, Andrew Hodgson <andrew@hodgson.io> wrote:
FWIW I just implemented the cipher suites for B (broad compatibility) and got a higher score on the Qualys SSL Labs test (got A+ both times but higher score on secure ciphers second time). I think that B should be enough unless you want to really start locking down. I wouldn't go any higher than B on a public web server anyway.
Andrew.
-----Original Message----- From: Andrew Hodgson <andrew@hodgson.io> Sent: 05 January 2019 23:52 To: Blind sysadmins list <blind-sysadmins@lists.hodgsonfamily.org> Subject: [Blind-sysadmins] Re: Implementing Encryption with the OWASP Advanced+ Setup
Hi,
I would check you are using the correct SSL versions as well as the A+ needs TLS 1.2 with those ciphers so any other TLS version wouldn't work.
You cannot make exceptions for specific clients as the handshake is done as the first step so the client isn't even identified. You can of course configure the strings in different servers differently. I think you may be able to get away with B now on web servers but if you are dealing with other protocols (especially IMAP/S and SMTP/S) I would set these to C.
Which reminds me I need to check my own list as it is out of date. Andrew.
-----Original Message----- From: David Mehler <dave.mehler@gmail.com> Sent: 05 January 2019 17:55 To: blind-sysadmins <blind-sysadmins@lists.hodgsonfamily.org> Subject: [Blind-sysadmins] Implementing Encryption with the OWASP Advanced+ Setup
Hello,
I'm trying to update my server security. I'm wanting to implement the OWASP recommended Advanced+ setup. For reference that is:
https://www.owasp.org/index.php/TLS_Cipher_String_Cheat_Sheet
My client compatibility I thought was good, using firefox 57, chrome the latest I just updated it from ninite, and ie11 on win10, and Aquamail as an android client.
My tls cipher suite I'm using for the advanced+ configuration is:
DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-G CM-SHA384:ECDHE-RSA-AES128-GCM-SHA256
Having set this nothing is working, getting tls connection errors can not negotiate a compatible protocol or cipher. This tells me the protocols and ciphers are to restrictive, I was under the impression this should work. Does anyone have this implemented? Can you make exceptions for certain clients I'll go that way if I have to.
The services I'm trying to get going are Apache v2.4, Postfix 3.3, and dovecot 2.3. My openssl version is 1.02q 20 NOV. 2018.
Suggestions welcome.
Thanks. Dave. _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org
_______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org
Hi, I am Nginx over here so here is my config which is grade B: server { listen 443 ssl; listen [::]:443 ssl; [...] ssl_certificate /etc/letsencrypt/live/samwise.hodgsonfamily.org/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/samwise.hodgsonfamily.org/privkey.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA; ssl_prefer_server_ciphers on; add_header Strict-Transport-Security "max-age=31536000; includeSubdomains"; ssl_dhparam /etc/ssl/private/dhparam.pem; ssl_stapling on; ssl_stapling_verify on; If you want A or A+ you need to ensure you are enabling TLS 1.2 only and nothing else. Andrew. ________________________________________ From: David Mehler [dave.mehler@gmail.com] Sent: 07 January 2019 02:44 To: Blind sysadmins list Subject: [Blind-sysadmins] Re: Implementing Encryption with the OWASP Advanced+ Setup Hello Andrew, Thanks. Does b only allow TLS 1.2? That's the only thing I am wanting, can I get a look at your settings? I'd like to compare yours to mine? Thanks. Dave. On 1/6/19, Andrew Hodgson <andrew@hodgson.io> wrote:
Hi,
As I said I put my settings to the B grade which I think is strong enough without disabling clients. I wouldn't go higher than B when configuring hardening at work in any case.
In terms of the SSL versions I am not talking about OpenSSL version but the version of the TLS protocol you are using, if you are using A+ or A you need to explicitly state only allowing TLS 1.2 and nothing else, if you specify other TLS versions it may mismatch.
Andrew.
-----Original Message----- From: David Mehler <dave.mehler@gmail.com> Sent: 06 January 2019 00:19 To: Blind sysadmins list <blind-sysadmins@lists.hodgsonfamily.org> Subject: [Blind-sysadmins] Re: Implementing Encryption with the OWASP Advanced+ Setup
Hello Andrew,
Thanks for your reply. My openssl version is 1.02q of November 2018. The ciphers I'm using were from the A+ OWASP. Clients are Android 7.1 Aquamail, and IE11.
Andrew, where are you getting your ciphers from? They seem more advanced yours are working, and the article i'm referencing. I'd like to go with A+ or A if doable.
Thanks. Dave.
On 1/5/19, Andrew Hodgson <andrew@hodgson.io> wrote:
FWIW I just implemented the cipher suites for B (broad compatibility) and got a higher score on the Qualys SSL Labs test (got A+ both times but higher score on secure ciphers second time). I think that B should be enough unless you want to really start locking down. I wouldn't go any higher than B on a public web server anyway.
Andrew.
-----Original Message----- From: Andrew Hodgson <andrew@hodgson.io> Sent: 05 January 2019 23:52 To: Blind sysadmins list <blind-sysadmins@lists.hodgsonfamily.org> Subject: [Blind-sysadmins] Re: Implementing Encryption with the OWASP Advanced+ Setup
Hi,
I would check you are using the correct SSL versions as well as the A+ needs TLS 1.2 with those ciphers so any other TLS version wouldn't work.
You cannot make exceptions for specific clients as the handshake is done as the first step so the client isn't even identified. You can of course configure the strings in different servers differently. I think you may be able to get away with B now on web servers but if you are dealing with other protocols (especially IMAP/S and SMTP/S) I would set these to C.
Which reminds me I need to check my own list as it is out of date. Andrew.
-----Original Message----- From: David Mehler <dave.mehler@gmail.com> Sent: 05 January 2019 17:55 To: blind-sysadmins <blind-sysadmins@lists.hodgsonfamily.org> Subject: [Blind-sysadmins] Implementing Encryption with the OWASP Advanced+ Setup
Hello,
I'm trying to update my server security. I'm wanting to implement the OWASP recommended Advanced+ setup. For reference that is:
https://www.owasp.org/index.php/TLS_Cipher_String_Cheat_Sheet
My client compatibility I thought was good, using firefox 57, chrome the latest I just updated it from ninite, and ie11 on win10, and Aquamail as an android client.
My tls cipher suite I'm using for the advanced+ configuration is:
DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-G CM-SHA384:ECDHE-RSA-AES128-GCM-SHA256
Having set this nothing is working, getting tls connection errors can not negotiate a compatible protocol or cipher. This tells me the protocols and ciphers are to restrictive, I was under the impression this should work. Does anyone have this implemented? Can you make exceptions for certain clients I'll go that way if I have to.
The services I'm trying to get going are Apache v2.4, Postfix 3.3, and dovecot 2.3. My openssl version is 1.02q 20 NOV. 2018.
Suggestions welcome.
Thanks. Dave. _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org
_______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org
_______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org
participants (2)
-
Andrew Hodgson -
David Mehler