Restrict lighttpd to strong TLS cipher suites

Follow-up from #559 (closed), github PR #59 and github PR #63.

Since lighttpd version 1.4.56, the reasonable default TLS configuration is:

"MinProtocol" => "TLSv1.2"
"CipherString" => "HIGH"

We can consider to restrict list of cipher suites to only strong ciphers, as OpenSSL HIGH consist of not-so-high cipher suites as well...

List of cipher suites could be something like:

ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES128-CCM8
ECDHE-ECDSA-AES256-CCM8
ECDHE-ECDSA-CHACHA20-POLY1305
ECDHE-RSA-CHACHA20-POLY1305
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES128-CCM8
DHE-RSA-AES256-CCM8
DHE-RSA-CHACHA20-POLY1305

together with strong DH parameters (> 1024 bit).

added Backlog label

marked this issue as related to #559 (closed)

changed the description

changed the description

mentioned in issue #559 (closed)

Please see lighttpd docs: https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_SSL and please see Mozilla SSL configurator: https://ssl-config.mozilla.org/#server=lighttpd for guidance.

I have outstanding pull requests to update the ssl config generator for lighttpd 1.4.56

• https://github.com/mozilla/ssl-config-generator/pull/120
• https://github.com/mozilla/ssl-config-generator/pull/122

You should not need to specify DH parameters for modern TLS implementations conformant to current specifications.

So that you do not have to try to maintain the list of ciphers yourself, some restricted sets of ciphers are recommended in: https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_SSL#Perfect-Forward-Secrecy-PFS

# DEFAULT: As of Sep 2020, default in lighttpd 1.4.56 and widely supported by clients, except very old clients w/o TLSv1.2
#ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.2",  # in openssl 1.0.2: "Protocol" => "-ALL, TLSv1.2" 
#                            "Options" => "ServerPreference,
#                            "CipherString" => "HIGH")

# RECOMMENDED: As of Sep 2020, a strong set of ciphers for PFS and widely supported by clients
#ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.2",
#                            "Options" => "-ServerPreference",
#                            "CipherString" => "EECDH+AESGCM:AES256+EECDH:CHACHA20")

# STRONGER: As of Sep 2020, a strong set of ciphers for PFS and widely supported by modern clients, without CBC ciphers reported as weak by SSLLabs
#ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.2",
#                            "Options" => "-ServerPreference",
#                            "CipherString" => "EECDH+AESGCM:AES256+EECDH:CHACHA20:!SHA1:!SHA256:!SHA384")

# STRONGEST: As of Sep 2020, for use w/ modern clients only; not compat w/ older clients
#ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.3",
#                            "Options" => "-ServerPreference")

I could submit this as a merge request, but a proposed patch is small enough to include here. As posted elsewhere, lighttpd Cipherstring has defaulted to "HIGH" since lighttpd 1.4.54 and NULL ciphers have been disabled since at least lighttpd 1.4.30 (released 9 years ago) and likely earlier. (That is as far back as I checked.) The recent change to improve TLS defaults is that lighttpd 1.4.56 defaults to "MinProtocol" => "TLSv1.2"

lighttpd 1.4.56 and later inherit the TLS config from the global scope if the $SERVER["socket"] conditions contains only ssl.engine = "enable" and not any other ssl.* options

(Note that there is a typo in the existing net/lighttpd-https-cert/Makefile)

diff --git a/net/lighttpd-https-cert/Makefile b/net/lighttpd-https-cert/Makefile
index 01fd6b2ca..1e7b3df5b 100644
--- a/net/lighttpd-https-cert/Makefile
+++ b/net/lighttpd-https-cert/Makefile
@@ -27,7 +27,7 @@ endef
 define Package/lighttpd-https-cert/install
        $(INSTALL_DIR) $(1)/etc/lighttpd/conf.d/ $(1)/etc/uci-defaults
        $(INSTALL_CONF) ./files/ssl-enable.conf $(1)/etc/lighttpd/conf.d/ssl-enable.conf
-       $(INSTALL_BIN) ./files/uci-defaults $(1)/etc/uci-defaults/99_lighttpd_htts_cert
+       $(INSTALL_BIN) ./files/uci-defaults $(1)/etc/uci-defaults/99_lighttpd_https_cert
 endef
 
 define Package/lighttpd-https-cert/postrm
diff --git a/net/lighttpd-https-cert/files/ssl-enable.conf b/net/lighttpd-https-cert/files/ssl-enable.conf
index d95d86d14..31bbe6f51 100644
--- a/net/lighttpd-https-cert/files/ssl-enable.conf
+++ b/net/lighttpd-https-cert/files/ssl-enable.conf
@@ -4,12 +4,17 @@
 # This package is not meant to be edited, it is part of package lighttpd-https-cert
 # If you need different https setup, uninstall this package and create your own configuration
 
+ssl.pemfile = "/etc/lighttpd-self-signed.pem"
+ssl.openssl.ssl-conf-cmd = (
+  "MinProtocol" => "TLSv1.2",
+  "Options" => "-ServerPreference",
+  "CipherString" => "EECDH+AESGCM:AES256+EECDH:CHACHA20:!SHA1:!SHA256:!SHA384"
+)
+
 $SERVER["socket"] == ":443" {
        ssl.engine = "enable"
-       ssl.pemfile = "/etc/lighttpd-self-signed.pem"
 }
 
 $SERVER["socket"] == "[::]:443" {
-       ssl.engine  = "enable"
-       ssl.pemfile = "/etc/lighttpd-self-signed.pem"
+       ssl.engine = "enable"
 }

@kkoci this is a straightforward change and I propose a simple patch above. This might be considered for Turris 5.2.0 along with !422 (merged), or this might at least be tagged Turris OS 5.x or Turris OS 6.x

assigned to @vmyslivec

added Patch label

changed milestone to %Turris OS 5.2.0

added Review label

removed Backlog label

@vmyslivec please review this simple patch for Turris 5.2.0.

There is a typo in net/lighttpd-https-cert/Makefile which is corrected in the patch above.

Thanks for the patch.

We would put it in a MR in the end anyway. I will prepare it. update: !672 (merged)

please see Mozilla SSL configurator

yes, this is where I inspire, along with ssllabs

You should not need to specify DH parameters for modern TLS implementations conformant to current specifications.

Yes, if we drop non-eliptic DHE, we would not need DH parameters AFAIK. On the other hand, I wanted to include DHE originally to support more variety of clients.

EECDH+AESGCM:AES256+EECDH:CHACHA20:!SHA1:!SHA256:!SHA384

I am still struggling whether it is better to list particular ciphers or to construct a "pattern". Anyway, this looks awesome. I would just reword it a bit:

ECDHE+AESGCM:ECDHE+AES256:CHACHA20:!SHA1:!SHA256:!SHA384

It produces the same cipher list according to openssl ciphers command (ECDHE and EECDH are synonyms and + is a commutative operator). It is somewhat readable in the end

mentioned in merge request !672 (merged)

Hi @gstrauss, FYI, we agreed with @kkoci in !672 (merged) this patch would go to %Turris OS 5.3.0. So it is prepared (you can take a look) and it would be merged after %Turris OS 5.2.0 release, which is currently in "freeze".

I will label this with Blocked and it will be closed later.

added Blocked label

changed milestone to %Turris OS 5.3.0

closed

removed Review label

mentioned in issue #758 (closed)

marked this issue as related to #758 (closed)