CentOS 8 Crypto-policy To Get SSL Labs A Rating
Dear Community
I try to get an SSL Labs A rating for my CentOS8 Apache-server. I’am sure it has to do with my lack of understanding the crypto-policies configuration, can anybody give me an advice where i am wrong?
My understanding is that the configuration in the pmod-file will override the ssl.conf values if PROFILE=SYSTEM is active.
***
# Current runtime policy dump
# DEFAULT:HTTPS
arbitrary_dh_groups = 1
cipher = AES-256-GCM AES-256-CCM CHACHA20-POLY1305 AES-256-CTR AES-256-CBC AES-128-GCM AES-128-CCM AES-128-CTR AES-128-CBC
group = X25519 X448 SECP256R1 SECP384R1 SECP521R1 FFDHE-2048 FFDHE-3072 FFDHE-4096 FFDHE-6144 FFDHE-8192
hash = SHA2-256 SHA2-384 SHA2-512 SHA3-256 SHA3-384 SHA3-512 SHA2-224 SHA1
ike_protocol = IKEv2
key_exchange = ECDHE DHE DHE-RSA DHE-PSK ECDHE-PSK ECDHE-GSS DHE-GSS
mac = AEAD HMAC-SHA2-256 HMAC-SHA1 UMAC-128 HMAC-SHA2-384 HMAC-SHA2-512
min_dh_size = 2048
min_dsa_size = 2048
min_dtls_version = DTLS1.2
min_rsa_size = 2048
min_tls_version = TLS1.2
protocol = TLS1.3 TLS1.2 DTLS1.2
sha1_in_certs = 1
sign = ECDSA-SHA3-256 ECDSA-SHA2-256 ECDSA-SHA3-384 ECDSA-SHA2-384 ECDSA-SHA3-512 ECDSA-SHA2-512 EDDSA-ED25519 EDDSA-ED448 RSA-PSS-SHA2-256 RSA-PSS-SHA2-384 RSA-PSS-SHA2-512 RSA-SHA3-256 RSA-SHA2-256 RSA-SHA3-384 RSA-$
ssh_certs = 1
ssh_cipher = AES-256-GCM AES-256-CCM CHACHA20-POLY1305 CAMELLIA-256-GCM AES-256-CTR AES-256-CBC CAMELLIA-256-CBC AES-128-GCM AES-128-CCM CAMELLIA-128-GCM AES-128-CTR AES-128-CBC CAMELLIA-128-CBC
ssh_etm = 1
ssh_group = X25519 X448 SECP256R1 SECP384R1 SECP521R1 FFDHE-2048 FFDHE-3072 FFDHE-4096 FFDHE-6144 FFDHE-8192
tls_cipher = AES-256-GCM AES-256-CCM CHACHA20-POLY1305 AES-256-CBC AES-128-GCM AES-128-CCM AES-128-CBC
***
cat /etc/crypto-policies/policies/modules/HTTPS.pmod cipher = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
***
Part of /etc/httpd/conf.d/ssl.conf
***
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host. SSLEngine on
# List the protocol versions which clients are allowed to connect with.
# The OpenSSL system profile is used by default. See
# update-crypto-policies(8) for more details.
#SSLProtocol all -SSLv3
#SSLProxyProtocol all -SSLv3
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2
# User agents such as web browsers are not configured for the user’s
# own preference of either security or performance, therefore this
# must be the prerogative of the web server administrator who manages
# cpu load versus confidentiality, so enforce the server’s cipher order. SSLHonorCipherOrder on
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
# The OpenSSL system profile is configured by default. See
# update-crypto-policies(8) for more details. SSLCipherSuite PROFILE=SYSTEM
#SSLProxyCipherSuite PROFILE=SYSTEM
#SSLCipherSuite HIGH:!aNULL:!MD5
#SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256
Thanks for any hint!
Adrian
4 thoughts on - CentOS 8 Crypto-policy To Get SSL Labs A Rating
I personally skip the crypto-policy for Apache, relying on a traditional httpd.conf stanza instead:
# …
SSLCipherSuite “EECDH+AESGCM:EDH+AESGCM”
SSLProtocol -all +TLSv1.3 +TLSv1.2
In conjunction with other TLS best practices, these settings seem to do the trick (read: Qualys likes them), albeit while excluding some older browsers.
This tool might be of interest to you:
https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=intermediate&openssl=1.1.1d&guideline=5.6
Don’t forget to configure to match your software versions and requirements.
Cheers, Jamie
Hi Paul
Thanks, but how do you “skip the crypto-policy for Apache”?
It seems like crypto-policies configuration is overwriting my values in httpd-configuration. How I enforce the values in httpd.conf ?
Gregards Adrian
—–Original Message—
I haven’t taken the time necessary to figure out where exactly the
‘PROFILE=SYSTEM’ string gets parsed and replaced, so I can’t answer your specific question.
In my case, I don’t use any Include or IncludeOptional statements in the main httpd.conf; it’s all there in one file. Obviously, my solution won’t work for everyone.