Tuesday, May 26, 2015

HOWTO Protect your Debian Server against the Logjam Attack

As many of you may already know, the current real-world deployment of Diffie-Hellman is less secure than previously believed. This post explains how to deploy Diffie-Hellman on your servers.

Recommendations for correctly deploying Diffie-Hellman for TLS:

1. Disable Export Cipher Suites
Even though modern browsers no longer support export suites, the FREAK and Logjam attacks allow a man-in-the-middle attacker to trick browsers into using export-grade cryptography, after which the TLS connection can be decrypted. Export ciphers are a remnant of 1990s-era policy that prevented strong cryptographic protocols from being exported from United States. No modern clients rely on export suites and there is little downside in disabling them.

2. Deploy (Ephemeral) Elliptic-Curve Diffie-Hellman (ECDHE)
Elliptic-Curve Diffie-Hellman (ECDH) key exchange avoids all known feasible cryptanalytic attacks, and modern web browsers now prefer ECDHE over the original, finite field, Diffie-Hellman. The discrete log algorithms we used to attack standard Diffie-Hellman groups do not gain as strong of an advantage from precomputation, and individual servers do not need to generate unique elliptic curves.

3. Generate a Strong, Unique Diffie Hellman Group
A few fixed groups are used by millions of servers, which makes them an optimal target for precomputation, and potential eavesdropping. Administrators should generate unique, 2048-bit or stronger Diffie-Hellman groups using "safe" primes for each website or server.

You can test your server by using the Qualsys SSL Server Test.

Procedure:


The first step to secure your server is to generate a unique DH Group with the openssl command. Under the /etc/ssl/private/ directory, we will create the dhparams.pem file and set secure permissions:

cd /etc/ssl/private
openssl dhparam -out dhparams.pem 2048
chmod 600 dhparams.pem


Now, I will show you how to configure diferent services on your Servers:

apache2

First we will add a Secure Cipher Suite based on the recommendations from weakdh.org. Open the file /etc/apache2/mods-available/ssl.conf with an editor and change or add these lines:

SSLProtocol             all -SSLv2 -SSLv3

SSLCipherSuite          ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

SSLHonorCipherOrder     on

Note: The SSLCipherSuide is just one long line, so do not add line breaks!!!

Set the DH Group in apache:

This part is only available for apache2 v. 2.4.8 and openssl v. 1.0.2 or newer !!!

Let's test our versions:
ximena@ximunix:~$ apache2 -v
Server version: Apache/2.2.22 (Debian)
Server built:   Feb  1 2014 21:26:04
ximena@ximunix:~$ openssl version
OpenSSL 1.0.1e 11 Feb 2013
ximena@ximunix:~$ 

So, that means that I can't set the DH Group on this server. If your apache version is > 2.4.8 and OpenSSL > 1.0.2, then edit the /etc/apache2/mods-available/ssl.conf file again and add the following line:

SSLOpenSSLConfCmd DHParameters "/etc/ssl/private/dhparams.pem"

And then restart apache:

service apache2 restart

nginx

Edit the nginx configuration file /etc/nginx/nginx.conf

Add or replace the following lines:

ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

ssl_prefer_server_ciphers on;

ssl_dhparam /etc/ssl/private/dhparams.pem;

And then restart nginx:

service nginx restart

postfix

Edit the postfix configuration file /etc/postfix/main.cf and add the following lines:

smtpd_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA

smtpd_tls_dh1024_param_file = /etc/ssl/private/dhparams.pem

And restart postfix:

service postfix restart

dovecot

Edit the dovecot configuration file /etc/dovecot/dovecot.conf and add the following line right after the ssl_protocols line:

ssl_cipher_list=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

Now, let's check our dovecot version:

ximena@ximunix:~$ dovecot --version
2.1.7
ximena@ximunix:~$

If your dovecot version is 2.2.6 or greater, then add this additional line:

ssl_prefer_server_ciphers = yes

When the version is 2.2.7 or greater, then add this third line:

ssl_dh_parameters_length = 2048

Finally restart dovecot:

service dovecot restart

I hope that helps and works! ;)