Raymii.org IEC Resistor logo

Quis custodiet ipsos custodes?
RSS Feed

Pass the SSL Labs Test on Lighttpd (Mitigate the CRIME and BEAST attack, Disable SSLv2 and Enable Perfect Forward Secrecy).

24-07-2013 | Remy van Elst

A on ssl labs test

This tutorial shows you how to get an A on the SSL Labs test using the lighttpd webserver. We do this by disabling CBC based ciphers to mitigate the BEAST attack, disabling SSL Compression to mitigate the CRIME attack, disable SSLv2 and below because of vulnerabilities in the protocol and we will enable Perfect Forward Secrecy when possible. This way we have a future proof ssl configuration and we get an A on the Qually Labs SSL Test.

This tutorial is also available for Apache2
This tutorial is also available for NGINX

You can find more info on the topics by following the links below:

Make sure you backup the files before editing them!

I'm using lighttpd 1.4.31 from the Debian Wheezy repositories on this website. The CentOS 5/6 EPEL versions wouldn't work for me because either lighttpd or OpenSSL being to old. Debian Squeeze also failed.

Mitigate the BEAST attack

In short, by tampering with with an encryption algorithm's CBC - cipher block chaining - mode's, portions of the encrypted traffic can be secretly decrypted. More info on the above link.

To mitigate it, we are going to edit the lighttpd settings in the file /etc/lighttpd/lighttpd.conf.

In the entire tutorial, you have to edit your SSL settings, for me that is in a $SERVER["socket"] == ":443" { block. At the end of the tutorial you can find the complete config example.

What we need to do is disable all CBC ciphers. If you have a version of OpenSSL lower than 1.0.1c then your only option is to use the RC4 cipher because TLS 1.2 support is added in 1.0.1c, but the RC4 cipher also has known weaknesses in it.

The lines below first have TLS 1.2 ciphers for TLS 1.2 clients to pick those up, and at the end it has the RC4 cipher. It also enables the ssl.honor-cipher-order option which uses the servers order of ciphers instead of letting the client choose. (Lighttpd SSL Docs - The bugfix/patch for ssl.honor-cipher-order.

ssl.honor-cipher-order = "enable"
ssl.cipher-list = "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-RC4-SHA:ECDHE-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:RC4-SHA"

Mitigate the CRIME attack

The CRIME attack uses SSL Compression to do its magic, so we need to disable that. The following option disables SSL compression:

ssl.use-compression = "disable"

By default lighttpd disables SSL compression at compile time. If you find it to be enabled, either use the above option, or recompile OpenSSL without ZLIB support. This will disable the use of OpenSSL using the DEFLATE compression method. If you do this then you can still use regular HTML DEFLATE compression.

Disable SSLv2

SSL v2 is insecure, so we need to disable it. Again edit the config file:

ssl.use-sslv2 = "disable"

If you want, you can also disable SSLv3, but that might break compatibility with some browsers.

ssl.use-sslv3 = "disable"

Enable Forward Secrecy

(Perfect) Forward Secrecy ensures the integrity of a session key in the event that a long-term key is compromised. PFS accomplishes this by enforcing the derivation of a new key for each and every session.

This means that when the private key gets compromised it cannot be used to decrypt recorded SSL traffic.

The cipher suites that provide Perfect Forward Secrecy are those that use an ephemeral form of the Diffie-Hellman key exchange. Their disadvantage is their overhead, which can be improved by using the elliptic curve variants.

Do note that for PFS support and mitigating the BEAST attack TLS v1.2 is required. I've also included a config line which gives you PFS but lets you vulnerable for the BEAST attack, but that is your only option on < TLS v1.2.

The above config line ssl.cipher-list in the Beast Attack section, is the most workable line for now. It enables a few forward secrecy ciphers, but it also allows RC4 (non-cbc). You should use this line if you want to mitigate the BEAST attack and offer forward secrecy:

ssl.cipher-list = "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-RC4-SHA:ECDHE-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:RC4-SHA"

If you really need forward secrecy, don't have TLS 1.2 and want to accept the rist of being vulnerable to the BEAST attack, use this line:

ssl.cipher-list = "ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:EDH-DSS-DES-CBC3-SHA:!MD5:!aNULL:!EDH"

Config Example

var.confdir = "/etc/ssl/certs"
$SERVER["socket"] == ":443" {
  ssl.engine = "enable"
  ssl.pemfile = var.confdir + "/example.org.pem"
  ssl.ca-file = var.confdir + "/example.org.bundle.crt"
  server.name = var.confdir + "/example.org"
  server.document-root = "/srv/html"
  ssl.use-sslv2 = "disable"
  ssl.use-sslv3 = "disable"
  ssl.use-compression = "disable"
  ssl.honor-cipher-order = "enable"
  ssl.cipher-list = "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-RC4-SHA:ECDHE-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:RC4-SHA"
}

Conclusion

If you have applied the above config lines you need to restart lighttpd:

/etc/init.d/lighttpd restart

Now use the SSL Labs test to see if you get a nice A. And of course have a safe and future proof SSL configuration!


Tags: lighttpd, ssl, ssl-labs, tls,