Ticket #409 (closed defect: fixed)

Opened 5 years ago

Last modified 5 years ago

HTTPS Security Issues

Reported by: chris Owned by: chris
Priority: minor Milestone:
Component: Live server Keywords:
Cc: laura, jim Estimated Number of Hours: 1.0
Add Hours to Ticket: 0 Billable?: yes
Total Hours: 1.0

Description

There are some issues that are highlighted here:

Overall Rating: F Zero

Chain issues Incorrect order

This server is vulnerable to the BEAST attack (more info https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the-beast-attack-on-tls )

https://www.ssllabs.com/ssltest/analyze.html?d=transitionnetwork.org

That should be fixed on both servers and the documentation should be updated to match:

Change History

comment:1 Changed 5 years ago by chris

  • Add Hours to Ticket changed from 0.0 to 1.0
  • Status changed from new to closed
  • Resolution set to fixed
  • Total Hours changed from 0.0 to 1.0

On quince this apache config:

SSLCipherSuite HIGH

Was changed to the following for all virtual servers:

SSLHonorCipherOrder On
SSLCipherSuite RC4-SHA:HIGH:!ADH:!SSLv2:!aNULL

And the gandi intermediate cert was recreated:

wget http://crt.gandi.net/GandiStandardSSLCA.crt -O GandiStandardSSLCA.crt
wget http://crt.usertrust.com/UTNAddTrustServer_CA.crt -O UTNAddTrustServer_CA.crt
wget http://crt.usertrust.com/AddTrustExternalCARoot.crt -O AddTrustExternalCARoot.crt

openssl x509 -inform DER -in GandiStandardSSLCA.crt -out GandiStandardSSLCA.pem
openssl x509 -inform DER -in AddTrustExternalCARoot.crt -out AddTrustExternalCARoot.pem
openssl x509 -inform DER -in UTNAddTrustServer_CA.crt -out UTNAddTrustServer_CA.pem

cat GandiStandardSSLCA.pem > gandi.pem
cat UTNAddTrustServer_CA.pem >> gandi.pem
cat AddTrustExternalCARoot.pem >> gandi.pem

And the docs updated, wiki:NewLiveServer#HTTPS

For kiwi, this nginx configuration:

ssl_protocols  SSLv3 TLSv1;
ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
ssl_prefer_server_ciphers   on;

Was updated to:

ssl_protocols  SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers  RC4-SHA:HIGH:!ADH:!SSLv2:!aNULL;
ssl_prefer_server_ciphers   on;

The nginx chained cert was recreated:

cd /etc/ssl/transitionnetwork.org
wget http://crt.gandi.net/GandiStandardSSLCA.crt -O GandiStandardSSLCA.crt
wget http://crt.usertrust.com/UTNAddTrustServer_CA.crt -O UTNAddTrustServer_CA.crt
wget http://crt.usertrust.com/AddTrustExternalCARoot.crt -O AddTrustExternalCARoot.crt

openssl x509 -inform DER -in GandiStandardSSLCA.crt -out GandiStandardSSLCA.pem
openssl x509 -inform DER -in AddTrustExternalCARoot.crt -out AddTrustExternalCARoot.pem
openssl x509 -inform DER -in UTNAddTrustServer_CA.crt -out UTNAddTrustServer_CA.pem

cat transitionnetwork.org.crt > transitionnetwork.org.chained.pem
cat GandiStandardSSLCA.pem >> transitionnetwork.org.chained.pem
cat UTNAddTrustServer_CA.pem >> transitionnetwork.org.chained.pem
cat AddTrustExternalCARoot.pem >> transitionnetwork.org.chained.pem

And now kiwi also scores a A: https://www.ssllabs.com/ssltest/analyze.html?d=kiwi%2etransitionnetwork%2eorg&s=81%2e95%2e52%2e78

And the notes here have been updated wiki:SecurityInfo

Note: See TracTickets for help on using tickets.