#4415 Perfect Forward Secrecy does not work

1.660
closed-fixed
nobody
None
5
2016-10-10
2014-05-21
Sage
No

Enabling the: "Only strong ciphers with perfect forward secrecy" option in the Webmin Configuration->SSL Encryption module appears to have no effect. Also, manually specifying "Listed Ciphers" appears to have no effect. Regardless of the settings, I have been unable to force PFS. I am connecting with both Firefox 29.0.1, and Safari 7.0.3. Firefox reports the following Cipher: TLS_RSA_WITH_AES_128_CBC_SHA, 128 bit keys

Discussion

<< < 1 2 3 (Page 3 of 3)
  •  waffles1006

    waffles1006 - 2015-09-03

    Yeah I saw that it had non PFS RSA keys and was going to remove it along with AES256-SHA but when I do that it breaks. What ciphers would you recommend then. Currently I use the following on most webserver but this won't work for webmin for the reasons you specified. Is AES256-SHA the best we can get?

    EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!aNULL:!eNULL:!EXPORT:!Low:!DES:!RC4:!3DES:!MD5:!PSK:!SRP:!DSS

     
    Last edit: waffles1006 2015-09-03
  • Aaron Roydhouse

    Aaron Roydhouse - 2015-09-03

    I used to try for 'future proof' lists that started with 'HIGH' and then excluded undesireable options, but I have come around that it is better to explicitly list some good and supported options. And if a new thing comes out, add it manually. With that in mind a good list for Webmin/Usermin is simply 'AES+RSA' (openssl will order by strength by default).

    $ openssl ciphers -v 'AES+RSA'
    AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEAD
    AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA256
    AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
    AES128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEAD
    AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256
    AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1

    Later, if PFS support is added to Webmin, add those key exchange options, keeping the 'AES+RSA' on the end, only if you want older Windows+IE browsers to work: 'ECDH+aRSA+AES:DH+aRSA+AES:AES+RSA'

    $ openssl ciphers -v 'ECDH+aRSA+AES:DH+aRSA+AES:AES+RSA'
    ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
    ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384
    ECDHE-RSA-AES256-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1
    ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD
    ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256
    ECDHE-RSA-AES128-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1
    DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD
    DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256
    DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
    DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD
    DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256
    DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
    AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEAD
    AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA256
    AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
    AES128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEAD
    AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256
    AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA

     
    Last edit: Aaron Roydhouse 2015-09-03
  • Charlese2

    Charlese2 - 2015-12-05

    With a little bit of tinkering i was able to add Diffie-Hellman parameters and Elliptic curve cryptography

     
    • arpeggio4

      arpeggio4 - 2016-02-19

      Charlese2, would you mind sharing details on how you added Diffie-Hellman parameters and Elliptic curve cryptography?

       
      Last edit: arpeggio4 2016-02-19
      • Charlese2

        Charlese2 - 2016-02-19

        In miniserv.pl i added a bit of code and changed one line, but in my tinkering i had it hardcoded.
        http://i.imgur.com/BmJ6Fjx.png

         
  • Jamie Cameron

    Jamie Cameron - 2016-10-10
    • status: open --> closed-fixed
     
  • Jamie Cameron

    Jamie Cameron - 2016-10-10

    Good news - the next webmin release will suport PFS properly.

     
<< < 1 2 3 (Page 3 of 3)

Log in to post a comment.