httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rainer Jung <rainer.j...@kippdata.de>
Subject Re: SSL and Usability and Safety
Date Tue, 02 May 2017 17:28:13 GMT
Am 02.05.2017 um 15:19 schrieb Stefan Eissing:
> With 71 configuration directives, mod_ssl can manage probably every user's needs, but
two: Mr and Ms Normal.
>
> Ms and Mr Normal have a basic understanding about SSL, sorry TLS, and what a cipher is,
but HonorCipherOrder is already a bit much and on OCSP stapling, the mind becomes a little
bit hazy. They are smart and well educated in their field of work, they just do have not the
time to read up on these things.
>
> But they have heard about internet security and want people visiting their site to be
safe (which is always relative).
>
> What they do now is take Apache, google a bit around, find something on stackoverflow
or maybe even the Mozilla config generator (https://mozilla.github.io/server-side-tls/ssl-config-generator/)
and copy and paste what they find into their config file.
>
> And then they never touch the config for the next couple of years. They will get updates
and security fixes from the Linux distribution, but as long as the server runs, they will
not investigate into a better SSL setting any more.
>
> But everyone working in internet security know that these settings are (and maybe forever
will be) in flux. Ciphers fall out of grace, new protocol versions rise and features like
OCSP and HSTS get invented.
>
> How can we help Mr and Ms Normal to stay up to date on these things?
>
> - We cannot rewrite their config unasked. We need to be backward compatible.
> - Our defaults nowadays are dangerously unsafe, so users MUST do their own settings.
>
> I advocate that we need (yet another!) SSL directive where administrators can declare
their *intent*.
>
> A. "I want my site safe and usable with modern browsers!"
> B. "I want a safe setting, but people with slightly out-dated clients should be served
as well."
> C. "I sadly need compatibility to some very old clients."
>
> and Apache would figure out what these intentions mean for protocols, ciphers, ordering,
ocsp and other settings. We ship updates with every release when they make sense to us. We
could even ship a CVE Fix downstream that removes a certain cipher and it would apply to all
sites using this new setting.
>
> Does this make sense? I personally would use this on my sites...
>
> Cheers,
>
> Stefan
>
> PS. Yes, I would use Mozilla's modern/intermediate/old definitions, but that discussion
would be the next step.

I like the idea. I reminds me of OpenSSL security levels

https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_get_security_level.html

although there is no 1:1 map, more a similarity of principles.

We have to see, how easy we get consensus on the "intent" names and 
actual settings associated to those.

Since we then have possibly conflicting config settings (your new 
"intent" config directive and existing detailed config directives) we 
need to make sure, how merging (conflict resolution) is done (even 
within the global server or one vhost):

a) in order of occurrence in the config files (order of reading)

b) the most secure settings win

c) first apply the "intent" directive, then merge the existing detail 
settings on top

I guess c) would be the most logical, but probably needs some additional 
feature in config parsing.

Regards,

Rainer

Mime
View raw message