7.5 Ensure Weak SSL/TLS Ciphers Are Disabled - 'Global SSLCipherSuite'

Information

Disable weak SSL ciphers using the 'SSLCipherSuite' and 'SSLHonorCipherOrder' directives. The 'SSLCipherSuite' directive specifies which ciphers are allowed in the negotiation with the client. The 'SSLHonorCipherOrder' directive causes the server's preferred ciphers to be used instead of the clients' specified preferences.

Rationale:

The SSL/TLS protocols support a large number of encryption ciphers, including many weak ciphers that are subject to man-in-the middle attacks and information disclosure. Some implementations even support the NULL cipher, which allows a TLS connection without any encryption! Therefore, it is critical to ensure the configuration only allows strong ciphers greater than or equal to 128 bit to be negotiated with the client. Stronger 256-bit ciphers should be allowed and preferred. In addition, enabling 'SSLHonorCipherOrder' further protects the client from man-in-the-middle downgrade attacks by ensuring the server's preferred ciphers will be used rather than the clients' preferences.

In addition, the RC4 stream ciphers should be disabled, even though they are widely used and have been recommended in previous Apache benchmarks as a means of mitigating attacks based on CBC cipher vulnerabilities. The RC4 ciphers have known cryptographic weaknesses and are no longer recommended. The IETF has published the RFC 7465 standard[4] that would disallow RC4 negotiation for all TLS versions. While the document is somewhat new (Feb 2015), it is expected the RC4 cipher suites will begin to disappear from options in TLS deployments. In the meantime, it is important to ensure that RC4-based cipher suites are disabled in the configuration.

Solution

Perform the following to implement the recommended state:

Ensure the 'SSLCipherSuite' includes all of the following:

'!NULL:!SSLv2:!RC4:!aNULL' values. For example, add or modify the following line in the Apache server level configuration and every virtual host that is TLS enabled:

SSLHonorCipherOrder On
SSLCipherSuite ALL:!EXP:!NULL:!LOW:!SSLv2:!RC4:!aNULL

It is **not** recommended to add '!SSLv3' to the directive even if the SSLv3 protocol is not in use. Doing so disables ALL of the ciphers that may used with SSLv3, which includes the same ciphers used with the TLS protocols. The !aNULL will disable both the ADH and AECDH ciphers, so the !ADH is not required.

**IMPORTANT NOTE:** The above 'SSLCipherSuite' value disables only the weak ciphers but allows medium strength and other ciphers which should also be disabled. Refer to the remaining TLS benchmark recommendations for stronger cipher suite values. The following cipher suite value will meet all of the level 1 and level 2 benchmark recommendations. As always, testing prior to production use is highly recommended.

SSLHonorCipherOrder On
SSLCipherSuite EECDH:EDH:!NULL:!SSLv2:!RC4:!aNULL:!3DES:!IDEA

See Also

https://workbench.cisecurity.org/files/2378

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-8, CSCv6|14.2, CSCv7|14.4

Plugin: Unix

Control ID: d75a070355b2ca2bc7fa27c7fd968abd0c28a6318e77e5ddcde945b5ad13707d