Context Navigation

← Previous Ticket
Next Ticket →

Ticket #409 (closed defect: fixed)

Opened 5 years ago

Last modified 5 years ago

HTTPS Security Issues

Reported by:	chris	Owned by:	chris
Priority:	minor	Milestone:
Component:	Live server	Keywords:
Cc:	laura, jim	Estimated Number of Hours:	1.0
Add Hours to Ticket:	0	Billable?:	yes
Total Hours:	1.0

Description

There are some issues that are highlighted here:

Overall Rating: F Zero

Chain issues Incorrect order

This server is vulnerable to the BEAST attack (more info https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the-beast-attack-on-tls )

https://www.ssllabs.com/ssltest/analyze.html?d=transitionnetwork.org

That should be fixed on both servers and the documentation should be updated to match:

Change History

comment:1 Changed 5 years ago by chris

Add Hours to Ticket changed from 0.0 to 1.0
Status changed from new to closed
Resolution set to fixed
Total Hours changed from 0.0 to 1.0

On quince this apache config:

SSLCipherSuite HIGH

Was changed to the following for all virtual servers:

SSLHonorCipherOrder On
SSLCipherSuite RC4-SHA:HIGH:!ADH:!SSLv2:!aNULL

And the gandi intermediate cert was recreated:

wget http://crt.gandi.net/GandiStandardSSLCA.crt -O GandiStandardSSLCA.crt
wget http://crt.usertrust.com/UTNAddTrustServer_CA.crt -O UTNAddTrustServer_CA.crt
wget http://crt.usertrust.com/AddTrustExternalCARoot.crt -O AddTrustExternalCARoot.crt

openssl x509 -inform DER -in GandiStandardSSLCA.crt -out GandiStandardSSLCA.pem
openssl x509 -inform DER -in AddTrustExternalCARoot.crt -out AddTrustExternalCARoot.pem
openssl x509 -inform DER -in UTNAddTrustServer_CA.crt -out UTNAddTrustServer_CA.pem

cat GandiStandardSSLCA.pem > gandi.pem
cat UTNAddTrustServer_CA.pem >> gandi.pem
cat AddTrustExternalCARoot.pem >> gandi.pem

And the docs updated, wiki:NewLiveServer#HTTPS

For kiwi, this nginx configuration:

ssl_protocols  SSLv3 TLSv1;
ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
ssl_prefer_server_ciphers   on;

Was updated to:

ssl_protocols  SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers  RC4-SHA:HIGH:!ADH:!SSLv2:!aNULL;
ssl_prefer_server_ciphers   on;

The nginx chained cert was recreated:

cd /etc/ssl/transitionnetwork.org
wget http://crt.gandi.net/GandiStandardSSLCA.crt -O GandiStandardSSLCA.crt
wget http://crt.usertrust.com/UTNAddTrustServer_CA.crt -O UTNAddTrustServer_CA.crt
wget http://crt.usertrust.com/AddTrustExternalCARoot.crt -O AddTrustExternalCARoot.crt

openssl x509 -inform DER -in GandiStandardSSLCA.crt -out GandiStandardSSLCA.pem
openssl x509 -inform DER -in AddTrustExternalCARoot.crt -out AddTrustExternalCARoot.pem
openssl x509 -inform DER -in UTNAddTrustServer_CA.crt -out UTNAddTrustServer_CA.pem

cat transitionnetwork.org.crt > transitionnetwork.org.chained.pem
cat GandiStandardSSLCA.pem >> transitionnetwork.org.chained.pem
cat UTNAddTrustServer_CA.pem >> transitionnetwork.org.chained.pem
cat AddTrustExternalCARoot.pem >> transitionnetwork.org.chained.pem

And now kiwi also scores a A: https://www.ssllabs.com/ssltest/analyze.html?d=kiwi%2etransitionnetwork%2eorg&s=81%2e95%2e52%2e78

And the notes here have been updated wiki:SecurityInfo

Note: See TracTickets for help on using tickets.

Download in other formats: