There have recently been a number of high profile security issues with OpenSSL and its accompanying assortment of authentication and encryption algorithms collectively known as a cipher suite. These issues have weakened the security offered by TLS/SSL which is incorporated into many applications such as FTP, email, VPNs, chat protocols, as well as the secure browsing connection via HTTPS.
These recent issues with OpenSSL break down into roughly two kinds; bugs with the OpenSSL library itself and issues with the encryption and authentication algorithms it employs - its cipher suite.
The most recent and famous bug with OpenSSL itself was the Heartbleed bug. These types of issues involving a package which is installed and managed by the OS are best dealt with by ensuring that the OS is always up to date with the latest packages from the official repositories. The distribution maintainers will usually release a patched version of a broken package very rapidly especially for such a critical component as OpenSSL. In the case of Debian they released a fixed version of OpenSSL around two and a half hours after becoming aware of the Heartbleed issue.
Issues with the cipher suite employed by OpenSSL
The situation here is rather more complicated than simply patching a bug and moving on. This is because of a large number of legacy encryption algorithms that are available to OpenSSL and can potentially be utilised by a client connecting to the server. The recent menagerie of attacks (BEAST, FREAK, POODLE, CRIME, LUCKY, BREACH) target the older and weaker encryption algorithms and their implementation in OpenSSL.
So why not simply remove all the older encryption algorithms?
The simple reason is that obsolete operating systems and software are still being used by a significant amount people on the internet. Windows XP is still being used by nearly 19% of internet users and over 1% are still using IE6! This obsolete software no longer receives any updates so they are not updated with the newest encryption algorithms, therefore they rely on older encryption methods.
This causes a significant problem for the user and website admin because when a client connects to a webserver with very outdated software and requests an HTTPS connection there may be no mutually supported ciphers which will result in the connection being terminated with an error.
As a result the administrator of the webserver has to strike a balance between using only the most secure ciphers and at the same time trying to support the maximum number of clients, an unfortunate percentage of whom will be using older software.
Fortunately, the most insecure ciphers can be discarded without affecting more than a very small number of people using only the most obsolete software.
Memset's recommended cipher suite and webserver configuration
The default cipher suite configuration for webservers such Apache and Nginx tends to err on the side of being inclusive rather than maximally secure. Therefore, some modification to the default cipher suite as used by Apache and Nginx is necessary to ensure the security of you and your clients' data.
Memset has devoted some time to creating a webserver cipher suite that will enable secure connections with the maximum number of clients and at the same time avoiding all of the above-listed attacks. This cipher suite will allow secure connections from XP SP3 ensuring that the vast majority of the internet will be able to securely browse your site. In fact, Memset's cipher suite proved its worth by defending against the FREAK attack even before it was published by removing the old ciphers upon which it depended.
The following is the cipher suite as used and recommended by Memset in our webservers:
EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
In addition to using cipher suite the following should also be configured if needed:
- Only support TLS 1.0, TLS 1.1 and TLS 1.2
- Disable SSL compression
This configuration receives an A rating on the SSLabs.com site which grades a sites SSL implementation and can be viewed here for www.memset.com as of March 2015.