Enhanced SSL Cyphers Walkthrough

If your site or service has any interaction with customer data, especially credit cards, then you will want to ensure that you are using the latest up-to-date SSL cyphers. Below are some quick notes that I took while recently updating some cyphers I’m responsible for. A lot of credit goes to Ivan Ristic as I did spend time reading thru his OpenSSL Cookbook. This post will not cover creating or converting SSL keys, but focus more of the cipher suite and how to change to increase security.

  1. Find out current complete version info
  2. openssl_versiona

  3. Notice the OPENSSLDIR line near the end of the output, that is where my openSSL working directory is located.
  4. ssldirstruct

  5. Here are a couple hints on gettins some help outside of obviously using the man page, but it can be a little overwhelming if you are not sure just where to go next.
    • On my Ubuntu 14 server I can get some help just by typing openssl at the command line and hitting tab button twice.

    tabtabopenssl

      However, on my Red Hat 5 server this tab help isn’t built in, but even attempting to use help even tho it fails it shows some very useful info.

    badhelpopenssl

      From this output we can see there is a ciphers command, and since that is what I want to work with to increase security, I can now #man ciphers on CLI.
  6. With the help of the man command I learn that I can list all supported ciphers in order of strength.
  7. cipherlistbystrength

  8. I was given a list of ‘recommended’ ciphers to use by our security group, so next I needed to find which supported ciphers I can use.
    • We can use groups to narrow down what I want. With the ‘+’ sign I can tie different goups together to make a string and search and use ‘:’ to seperate in order to list multiple strings to search for.

    shortlist

      Keep in mind that if we only select the strongest suite, I suppose some clients that aren’t up to date may face some issues. This is your call to follow the strong suites with weaker ones. For example, I’m going to jump over to my Nagios server to finish the task of using more enhanced ciphers, and we can see that I’m going to put in order the ciphers I want to use and basically not use any weak ones.

    nagiosciphers

      This config still gives me a lot of ciphers to work with.
  9. Let us set the config to reflect the new suites we want for our SSL connections. Basically take the search groups we used and find the line for SSLCipherSuite in your website conf file.
  10. cipherconf

      Red Hat recommends for rhel 4, 5, 6, 7

    SSLProtocol ALL -SSLv2 -SSLv3
    SSLCipherSuite ALL:!aNULL:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXPORT

Linux, Network Security, Tutorials/Whitepapers, Uncategorized

Leave a Reply

Comment
Name*
Mail*
Website*