SSL/TLS best practices for websites

Keeping Secrets

10.3 HSTS

HTTP Strict Transport Security (HSTS), described in RFC 6797 [1], implements strict rules for encrypting websites. The server discloses the policies in the HTTP response header to compatible browsers (Figure 2).

Figure 2: Twitter announces via HTTP header that it uses HTTP Strict Transport Security (HSTS).

If HSTS is enabled, a compliant web browser exclusively uses TLS to communicate with a website. This approach stops a few security holes that are otherwise hard to close, such as visits via plain text bookmarks or links, insecure cookies, SSL stripping, and mixed content in the same domain. Strict Transport Security also ensures secure handling of invalid certificates. Without HSTS, web browsers let the user decide what to do in case of invalid certificates. But, most users cannot distinguish between attacks and misconfigurations, which makes them potential victims of network attacks. With HSTS, however, invalid certificates remain invalid and cannot be worked around. It is best to enable Strict Transport Security for a complete domain name, including its subdomains.

Configuration Recommendations

The following sample configurations require support for elliptic curve cryptography (EC), which is required for a modern SSL deployment. Unfortunately, EC is not available everywhere. In the case of the Apache web server, EC was introduced in version 2.2.6; many older installations do not include the feature. However, the version number alone is not conclusive. Some distributions, such as Debian, have backported EC for their Apache packages.

A quick look at the release notes is therefore essential. Until recently, Fedora and Red Hat still disabled EC; an update to a recent release should remedy add EC support. In case of emergency, you can build Apache 2.4.x from sources with statically linked Open SSL – see the discussion at the my website [2].

Listing 2 shows the Apache instructions for the global SSL configuration. The configuration information resides in different files on different distributions. In the original source code for Apache 2.4.x, the file is $SERVER_ROOT/conf/extra/httpd-ssl.conf, Debian and Ubuntu use /etc/apache2/mods-available/ssl.conf, and Red Hat uses /etc/httpd/conf.d/ssl.conf. The Mod_SSL Guide [3] includes the SSL configuration directives for Apache. Listing 3 shows the configuration for the nginx web server.

Listing 2

Apache Configuration

01 SSLProtocol all -SSLv2 -SSLv3
02 SSLHonorCipherOrder On
03 SSLCipherSuite "ECDHE-ECDSA-AES128-GCM-SHA256 \
04  ECDHE-ECDSA-AES256-GCM-SHA384 \
05  ECDHE-RSA-AES128-GCM-SHA256 \
06  ECDHE-RSA-AES256-GCM-SHA384 \
07  DHE-RSA-AES128-GCM-SHA256 \
08  DHE-RSA-AES256-GCM-SHA384 \
09  ECDHE-ECDSA-AES128-SHA \
10  ECDHE-ECDSA-AES256-SHA \
11  ECDHE-ECDSA-DES-CBC3-SHA \
12  ECDHE-RSA-AES128-SHA \
13  ECDHE-RSA-AES256-SHA \
14  ECDHE-RSA-DES-CBC3-SHA \
15  DHE-RSA-AES128-SHA \
16  DHE-RSA-AES256-SHA \
17  EDH-RSA-DES-CBC3-SHA \
18  AES128-GCM-SHA256 \
19  AES256-GCM-SHA384 \
20  AES128-SHA \
21  AES256-SHA \
22  DES-CBC3-SHA"
23
24 # Only with Apache 2.2.24+ and Apache 2.4.3+
25 SSLCompression Off
26
27 SSLSessionCache shmcb:/path/to/ssl_scache(1024000)
28 SSLSessionCacheTimeout 3600
29
30 # Only with Apache 2.4.x
31 SSLUseStapling On
32 SSLStaplingCache shmcb:/path/to/stapling_cache(128000)
33 # HSTS policies are persistent; learn more
34 # about HSTS before enabling the following
35 # rule for best security.
36 #Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

Listing 3

Nginx Configuration

01 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
02 ssl_prefer_server_ciphers on;
03 ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-GCM-SHA256 \
  ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-SHA \
  ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-DES-CBC3-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDHE-RSA-DES-CBC3-SHA \
  DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA EDH-RSA-DES-CBC3-SHA AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA \
  AES256-SHA DES-CBC3-SHA";
04 ssl_session_cache shared:ssl_session_cache:1M;
05 ssl_session_timeout 60m;
06 # Only with Nginx 1.4.x and newer
07 ssl_stapling on;
08
09 # HSTS policies are persistent; learn more about HSTS
10 # before enabling the following rule for best security.
10 #add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";

The instructions are contained in the http section of the file, which typically resides in /etc/nginx/nginx.conf. By the way, all the information must be in a single line for the ssl_ciphers statement. See the Nginx project website for documentation on configuring SSL [4].

Infos

  1. HTTP Strict Transport Security (RFC 6797): http://tools.ietf.org/html/rfc6797
  2. Ivan Ristic, "Compiling Apache with static OpenSSL libraries": http://blog.ivanristic.com/2013/08/compiling-apache-with-static-openssl.html
  3. Mod_SSL Manual: http://httpd.apache.org/docs/2.4/mod/mod_ssl.html
  4. SSL for Nginx: http://nginx.org/en/docs/http/ngx_http_ssl_module.html

The Author

Ivan Ristic http://blog.ivanristic.com is the author of the recently published Bulletproof SSL and TLS by Feisty Duck Publishing. The author maintains the website https://www.ssllabs.com, where he publishes tools on SSL/TLS and PKI.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • What's left of TLS
    Numerous attacks have rocked the security of SSL/TLS encryption in recent years. Newer standards would remedy this, but they are not widely used.
  • Transport Encryption with DANE and DNSSEC
    Those who think that enabling STARTTLS in the mail client will make their mail traffic more secure are wrong. Only those who bank on DANE can be sure that a mail server or a firewall will not switch off encryption in transit.
  • Many approaches help secure a web server
    We submit an Apache web server to the Qualys SSL Server Test and look at how to protect against data theft with a combination of TLS by way of Let's Encrypt, SELinux or AppArmor, a firewall, and restraining your web server's verbosity.
  • TLS 1.3 and the return of common sense
    After a decade in service, TLS 1.2 is showing many signs of aging. Its immediate successor, TLS 1.3, has earned the approval of the IETF. Some major changes are on the way.
  • Setting up SSL connections on Apache 2
    To spoil the day for lurking data thieves, Apache administrators only need three additional directives – and a handful of commands.
comments powered by Disqus