Live chat
17th November

in Security

STunnel Cipher List and Qualys SSL Labs Testing

Posted by Andrei Grigoraş

A+ Unicorn
Chasing that eternally moving target that is an A+ from Qualys’ SSL scanner? Well, you’ve found the correct Blog!

We’ve been testing again whilst also looking at FIPS compatible ciphers as part of our upcoming v8.2.3 release. We’re going for basic FIPS compliance with this release so it makes sense to re-evaluate our current recommendations.

We’ve worked hard to offer you some sensible recommendations that mitigate common known vulnerabilities scoring the best scores from Qualys while maintaining maximum client support.

A-Plus

Before I get into the ciphers let me first point out that to get an A+ you not only need a secure list of ciphers but at least a 6 month HSTS header otherwise the best you can achieve is an A. Luckily we can insert this at L7 for you so you’ll likely need to enable this if seeking that top score. What on earth is a HSTS header I hear you cry, well it’s a way to tell your users browser not to talk over HTTP with your website for a specified amount of time. This is an attempt to protect from man-in-the-middle attacks for conforming browsers.

More info: https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

Back to the ciphers, I’ll start with our favourite short succinct list which we used to achieve the A+ shown above, it’s made with ciphers exclusively from the FIPS supported list and offers fairly reasonable client support if you can leave TLS1.0 enabled:

ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA256

Here is an example configuration file, its based on an STunnel v5.33 build with OpenSSL 1.0.2j-fips:



# STunnel configuration file generated by Loadbalancer.org appliance
# Written 2017-05-10 13:41
setuid = stunnel
pid = /var/run/stunnel/stunnel.pid
socket = a:IP_FREEBIND=yes
fips = yes
[VIP_Name]
cert = /etc/loadbalancer.org/certs/VIP_Name/VIP_Name.pem
ciphers = ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA256
accept = 0.0.0.0:443
connect = 127.0.0.1:80
delay = yes
options = NO_SSLv2
options = NO_SSLv3
options = CIPHER_SERVER_PREFERENCE
options = DONT_INSERT_EMPTY_FRAGMENTS
renegotiation = no
TIMEOUTclose = 0

The default options we use here are quite important for stopping various man-in-the-middle attacks like POODLE and BEAST etc.

So what does a simulated handshake tell us about this configuration?
Well no Windows XP for a start… but otherwise it looks pretty good…

 Supported Server Cipher(s):
   Accepted  TLSv1  256 bits  ECDHE-RSA-AES256-SHA
   Accepted  TLSv1  256 bits  AES256-SHA
   Accepted  TLSv1  128 bits  AES128-SHA
   Accepted  TLS11  256 bits  ECDHE-RSA-AES256-SHA
   Accepted  TLS11  256 bits  AES256-SHA
   Accepted  TLS11  128 bits  AES128-SHA
   Accepted  TLS12  256 bits  ECDHE-RSA-AES256-SHA384
   Accepted  TLS12  256 bits  ECDHE-RSA-AES256-SHA
   Accepted  TLS12  256 bits  DHE-RSA-AES256-SHA256
   Accepted  TLS12  256 bits  AES256-SHA256
   Accepted  TLS12  256 bits  AES256-SHA
   Accepted  TLS12  128 bits  ECDHE-RSA-AES128-SHA256
   Accepted  TLS12  128 bits  AES128-GCM-SHA256
   Accepted  TLS12  128 bits  AES128-SHA256
   Accepted  TLS12  128 bits  AES128-SHA
 Preferred Server Cipher(s):
   TLSv1  256 bits  ECDHE-RSA-AES256-SHA
   TLS11  256 bits  ECDHE-RSA-AES256-SHA
   TLS12  256 bits  ECDHE-RSA-AES256-SHA384

tls1-enabled

We also have a fair number of customers disabling TLS1 due to upcoming PCI changes.
It will also still support all modern operating systems and browsers even if you need TLS1.0 disabled but some older products will obviously fail to negotiate a connection (Possibly a good thing…).
If you disable TLSv1 you get the following handshake:

 Supported Server Cipher(s):
   Accepted  TLS11  256 bits  ECDHE-RSA-AES256-SHA
   Accepted  TLS11  256 bits  AES256-SHA
   Accepted  TLS11  128 bits  AES128-SHA
   Accepted  TLS12  256 bits  ECDHE-RSA-AES256-SHA384
   Accepted  TLS12  256 bits  ECDHE-RSA-AES256-SHA
   Accepted  TLS12  256 bits  DHE-RSA-AES256-SHA256
   Accepted  TLS12  256 bits  AES256-SHA256
   Accepted  TLS12  256 bits  AES256-SHA
   Accepted  TLS12  128 bits  ECDHE-RSA-AES128-SHA256
   Accepted  TLS12  128 bits  AES128-GCM-SHA256
   Accepted  TLS12  128 bits  AES128-SHA256
   Accepted  TLS12  128 bits  AES128-SHA
 Preferred Server Cipher(s):
   TLS11  256 bits  ECDHE-RSA-AES256-SHA
   TLS12  256 bits  ECDHE-RSA-AES256-SHA384

tls1-disabled

Next, comes my favourite list if you don’t need FIPS only ciphers – I use this one myself!

ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA:HIGH:!3DES:!RC4:!MD5:!aNULL:!EDH

 Supported Server Cipher(s):
   Accepted  TLSv1  256 bits  ECDHE-RSA-AES256-SHA
   Accepted  TLSv1  256 bits  AES256-SHA
   Accepted  TLSv1  256 bits  CAMELLIA256-SHA
   Accepted  TLSv1  128 bits  ECDHE-RSA-AES128-SHA
   Accepted  TLSv1  128 bits  AES128-SHA
   Accepted  TLSv1  128 bits  CAMELLIA128-SHA
   Accepted  TLS11  256 bits  ECDHE-RSA-AES256-SHA
   Accepted  TLS11  256 bits  AES256-SHA
   Accepted  TLS11  256 bits  CAMELLIA256-SHA
   Accepted  TLS11  128 bits  ECDHE-RSA-AES128-SHA
   Accepted  TLS11  128 bits  AES128-SHA
   Accepted  TLS11  128 bits  CAMELLIA128-SHA
   Accepted  TLS12  256 bits  ECDHE-RSA-AES256-GCM-SHA384
   Accepted  TLS12  256 bits  ECDHE-RSA-AES256-SHA384
   Accepted  TLS12  256 bits  ECDHE-RSA-AES256-SHA
   Accepted  TLS12  256 bits  AES256-GCM-SHA384
   Accepted  TLS12  256 bits  AES256-SHA256
   Accepted  TLS12  256 bits  AES256-SHA
   Accepted  TLS12  256 bits  CAMELLIA256-SHA
   Accepted  TLS12  128 bits  ECDHE-RSA-AES128-GCM-SHA256
   Accepted  TLS12  128 bits  ECDHE-RSA-AES128-SHA256
   Accepted  TLS12  128 bits  ECDHE-RSA-AES128-SHA
   Accepted  TLS12  128 bits  AES128-GCM-SHA256
   Accepted  TLS12  128 bits  AES128-SHA256
   Accepted  TLS12  128 bits  AES128-SHA
   Accepted  TLS12  128 bits  CAMELLIA128-SHA
 Preferred Server Cipher(s):
   TLSv1  128 bits  ECDHE-RSA-AES128-SHA
   TLS11  128 bits  ECDHE-RSA-AES128-SHA
   TLS12  128 bits  ECDHE-RSA-AES128-SHA

This will also get you an A+ but offers additional ciphers not found on the FIPS list. These Camellia ciphers are considered about as strong as AES and come from Japan, you’ll see lots of these additionally enabled with the above cipher list in use.

More info: https://en.wikipedia.org/wiki/Camellia_(cipher)

Another option is to use the full and complete FIPS list, but currently it will only give you an A- due to being capped. Annoyingly it’s a few reference browsers not negotiating a cipher that supports forward secrecy, however, client support is excellent and you can almost certainly expect that IE6 / WinXP client will work if they enable TLS1.0 support in IE.

ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:AES256-GCM-SHA384:AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:AES128-GCM-SHA256:AES128-SHA256:AES256-SHA:DES-CBC3-SHA:AES128-SHA

A-Minus

full-fips-list

I’m sure that over time our recommendations will continue to evolve, security is as always a moving target with new vulnerabilities being discovered every day. Even ciphers we’ve come to know and trust like Arcfour and 3DES have recently fallen out of favour proving the need to constantly review your security.

An interesting conversation on this topic can be found at the following link. It’s actually worth a read as it explores the argument about allowing older ciphers and the issues faced by taking them away:

https://community.qualys.com/thread/16555-triple-des-is-bad-now-sweet-32-cve-2016-2183-cve-2016-6329

**Note for enabling TLS1.0 in IE6 – your only option if you need to get Windows XP clients to works with SSL.

If you open your IE Options, and under the ‘Advanced’ tab almost at the bottom you should find ‘Use TLS 1.0′ if you put a tick into this box you should find that with the Cipher we gave things start to work again.

ie_tls

About the author

Andrei Grigoraş