Category: apache

Reasons for TR-03116-4 for ciphers and curves from Bundesamts für Sicherheit in der Informationstechnik (BSI)

Posted on by mario

What is the reason that the BSI does not allow Chacha20 / Poly 1305?

The BSI does not allow ChaCha20/Poly1305 in its technical guidelines such as TR-03116-4 because it is primarily based on the NSA’s Suites-B specification and established European or German standards. There are several reasons the Focus is on AES-GCM and CNSA Suites.

1. The BSI relies on AES (Advanced Encryption Standard), especially in AES-GCM (Galois/Counter Mode), because this algorithm is recommended by both the NSA and European standardization bodies such as ENISA and ISO/IEC. AES is highly optimized for modern hardware (e.g. AES-NI in x86 processors), which makes it efficient and secure to implement.

2. FIPS and Common Criteria certification. The BSI prefers algorithms that are certified according to FIPS 140-2/3 or Common Criteria (CC). ChaCha20/Poly1305 is less widely used in these circles than AES, especially for government applications.

3. AES has dedicated hardware acceleration (e.g. AES-NI on Intel/AMD or ARMv8-A Cryptography Extensions), while ChaCha20 was primarily intended for software-side implementations on CPUs without AES hardware. In modern environments, AES-GCM with hardware acceleration is usually faster than ChaCha20.

4. Assessment of security properties. Although ChaCha20 is considered secure, there is less formal security analysis and certification than for AES.
Poly1305 is an efficient MAC (Message Authentication Code), but the BSI prefers GCM because it is already closely coupled with AES.

5. Interoperability and long-term strategy. Government IT infrastructures rely on long-term support. AES has a clearly defined future (e.g. through the CNSA Suite 2.0), while ChaCha20 is not treated equally in official European crypto standards. Future migrations to post-quantum cryptography (PQC) are likely to build on AES-based hybrid approaches.

But why is there an algorithm with CBC? As far as I know, CBC is vulnerable to attacks.

Yes, you are right: CBC (Cipher Block Chaining) has known weaknesses, especially padding oracle attacks, which is why many security guidelines (e.g. TLS 1.3) have abolished it. The BSI continues to list AES-CBC in TR-03116-4 for the following reasons:

Backward compatibility with existing systems. Many older or security-critical systems (e.g. in administration or industry) are based on AES-CBC because it was the standard for a long time. A complete switch to AES-GCM is difficult in some environments because not all systems support GCM (e.g. smart cards or older hardware). AES-CBC is still widely used in IPsec, S/MIME, OpenPGP and other protocols. In some scenarios, CBC can be used safely if additional protection mechanisms are in place (e.g. Encrypt-then-MAC (EtM) instead of MAC-then-Encrypt).
In TLS 1.3, CBC was removed because padding oracle attacks were particularly critical there.
In other applications, especially for offline encryption or fixed protocols, CBC can remain secure under certain conditions.
If the BSI allows AES-CBC, then only with HMAC protection (Encrypt-then-MAC) or in precisely defined areas of use. Usually there are strict guidelines for IV handling and padding checking to prevent attacks.

What is the reason for specifying the brainpoolP256r1 curve?

The BSI’s specification of the brainpoolP256r1 curve (also known as brainpoolP256r1, more precisely brainpoolP256t1 or brainpoolP256r1) has several security and strategic reasons. Here are the most important: Alternative to NIST curves (e.g. secp256r1 / P-256) The NIST curves (e.g. secp256r1, also known as P-256) are widely used, but there has been distrust of the origin of the parameters for years. It is speculated that the choice of parameters for the NIST curves was influenced by the NSA, so that backdoors could possibly exist. Brainpool curves, on the other hand, were developed independently (by the ECC Brainpool group led by German cryptographers). Brainpool curves were designed specifically for European security standards and are preferred by the BSI in German government projects. They are specified in various BSI guidelines, e.g. TR-03111 (Cryptographic specifications for eID applications).
For NIST curves, the parameters are published, but their derivation is unclear. The parameters of the Brainpool curves were generated using an open, traceable process.
Brainpool curves are specified in many European protocols, including eIDAS (electronic identities and signatures in the EU), German smart cards, TR-03110 (security of electronic identities). Brainpool curves were chosen to make certain timing and side-channel attacks more difficult, especially in hardware-based implementations. Their structure is intended to prevent implementation errors from leading to vulnerabilities.

TR-03116-4 Apache config from Bundesamts für Sicherheit in der Informationstechnik (BSI)

Posted on by mario

I wonder why the Germany’s BSI, the Federal Office for Information Security requires The brainpool P256r1 curve. Also the must-have ECDHE-ECDSA-AES128-SHA256 aka TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 required by the BSI is a weak cipher. ALso They don’t allow Chacha 2.0 aka POLY 1305 ciphers

Here it comes.

SSLEngine On
SSLUseStapling On
SSLSessionCache shmcb:/opt/apache2/logs/ssl_gcache_data(512000)
SSLStaplingCache shmcb:/opt/apache2/logs/ssl_stapling_data(512000)
SSLOptions +StrictRequire +StdEnvVars -ExportCertData
SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLCompression Off
SSLHonorCipherOrder On
# The must have ECDHE-ECDSA-AES128-SHA256 aka TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 required by the BSI is a weak cipher
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256
SSLCipherSuite TLSv1.3 TLS_AES_256_GCM_SHA384

SSLCertificateFile /etc/letsencrypt/live/tr-03116-4.example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/tr-03116-4.example.com/privkey.pem
SSLOpenSSLConfCmd ECDHParameters secp521r1
SSLOpenSSLConfCmd Curves X25519:secp521r1:secp384r1:brainpoolP256r1
SSLOpenSSLConfCmd SignatureAlgorithms "ECDSA+SHA512:ECDSA+SHA384:ECDSA+SHA256:RSA+SHA512:RSA+SHA384:RSA+SHA256:rsa_pss_rsae_sha512:rsa_pss_rsae_sha384:rsa_pss_rsae_sha256"

In order to test compliance, tls-check.de may be used. In the test results, look at “TLS Parameters and Algorithms (TLS 1.2)” in the “Supported Signature Algorithms” sections.

Cannot load modules/mod_fcgid.so into server: undefined symbol: ap_unixd_setup_child

Posted on by mario

I got the following error message after compiling apache against the latest OpenSSL version.
Cannot load modules/mod_fcgid.so into server: undefined symbol: ap_unixd_setup_child
It looks like a compiler error that happened, but it isn’t. In fact, there are two options why there is this error message appears.
One mod_unixd isn’t loaded or loaded after mod_fcgid. Two mod_fcgid can’t create a directory for the socket or the socket itself. aka file permissions.
That error message could be much better. It is misleading. This error does not happen on Windows. It comes from the old Unix philosophy: “Everything is a file”. This lead to a ton of code in the kernels. Even more, code exists for block devices in /dev. All that symlinks and magic directories. I wonder when “Everything is a file” will have exceptions everyone agrees on.

Choosing the right cipher / alias crypto wars part twelve

Posted on by mario

Choosing the right cipher for your server.

The wanted options:

  • Only 256 bit
  • Only Mac AEAD[1]  since in TLS 1.3 that is only allowed.
  • Kx (Key exchange) and Au (Authentication) PSK (pre-shared key) is not an option for a webserver
  • DSS cipher is for key auth
  • Kx=DH without an EC ( Elliptic curves) is not secure enough
  • Kx=RSA is weak
  • AESCCM is also a Cipher Block Chaining (CBC)
  • Aria is for Secure Real-Time Transport Protocol (SRTP)
  • DHE-RSA-AES256-GCM-SHA384 and DHE-RSA-CHACHA20-POLY1305 have no EC (elliptic curves)
/opt/openssl/bin/openssl ciphers -v ALL:COMPLEMENTOFALL | grep -v "(128)" | grep "Mac=AEAD" | grep -v "Kx=PSK" | \
grep -v "Au=PSK" | grep -v "Kx=RSAPSK" | grep -v "Au=DSS" | grep -v "Kx=RSA" | grep -v "Enc=AESCCM" | \
grep -v "Enc=ARIAGCM" | grep -v "Au=None" | grep -v "Kx=DH"

The Output

TLS 1.3
TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD

TLS 1.2
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD

At last POLY over AES for speed, and ECDSA over RSA also for speed.

SSLCipherSuite SSL ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384
SSLCipherSuite TLSv1.3 TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384

This was done with the current latest OpenSSL version 1.1.1l

Only for the completeness, GCM is Galois/Counter Mode[2]

 

[1] https://de.wikipedia.org/wiki/Authenticated_Encryption
[2] https://en.wikipedia.org/wiki/Galois/Counter_Mode

Obsolete key exchange mechanisms alias crypto wars part eleven

Posted on by mario

Obsolete key exchange mechanisms alias crypto wars part eleven

Especially weak key exchange mechanisms indicated by the cipher suite include those designated as EXPORT or ANON;  cipher suites using these key exchange mechanisms should not be used. Even if the cipher suite used in a TLS session is acceptable, a key exchange mechanism may use weak keys that allow exploitation. TLS key exchange methods include RSA key transport and DH or ECDH key establishment. DH and ECDH include static as well as ephemeral mechanisms. NSA recommends RSA key transport and ephemeral DH (DHE) or ECDH (ECDHE) mechanisms, with RSA or DHE key exchange using at least 3072-bit keys and ECDHE key exchanges using the secp384r1 elliptic curve. For RSA key transport and DH/DHE key exchange,  keys less than 2048 bits should not be used,  and ECDH/ECDHE using custom curves should not be used. The use of custom public key parameters in key exchange messages is deprecated per RFC 8422 Section 5.1.1

The recommended configuration is the following

Header always set Strict-Transport-Security "max-age=15553000; preload"
SSLUseStapling On
SSLSessionCache shmcb:/opt/apache2/logs/ssl_gcache_data(512000)
SSLStaplingCache shmcb:/opt/apache2/logs/ssl_stapling_data(512000)
SSLOptions +StrictRequire +StdEnvVars -ExportCertData
SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLCompression Off
SSLHonorCipherOrder On
SSLCipherSuite SSL ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384
SSLCipherSuite TLSv1.3 TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384

SSLOpenSSLConfCmd ECDHParameters secp521r1
SSLOpenSSLConfCmd Curves sect571r1:sect571k1:secp521r1:sect409k1:sect409r1:secp384r1

H2Direct On

SSLOpenSSLConfCmd SignatureAlgorithms rsa_pss_rsae_sha512:rsa_pss_rsae_sha256:ECDSA+SHA512:ECDSA+SHA256:RSA+SHA512:RSA+SHA256
SSLOpenSSLConfCmd ClientSignatureAlgorithms rsa_pss_rsae_sha512:rsa_pss_rsae_sha256:ECDSA+SHA512:ECDSA+SHA256:RSA+SHA512:RSA+SHA256

Apache security headers

Posted on by mario

A good starting point for apache security headers

<IfModule mod_headers.c>
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set X-XSS-Protection "1; mode=block"
    Header always set Expect-CT "max-age=86400, enforce"
    Header always set Feature-Policy "\
        geolocation 'none'; midi 'none'; camera 'none'; usb 'none'; \
        magnetometer 'none'; accelerometer 'none'; vr 'none'; \
        speaker 'none'; ambient-light-sensor 'none'; gyroscope 'none'; \
        microphone 'none'"
    Header always set Content-Security-Policy "\
        default-src 'self' 'unsafe-inline' data:;\
        font-src 'self' 'unsafe-inline' fonts.gstatic.com data:; \
        style-src 'self' 'unsafe-inline' fonts.googleapis.com; \
        script-src 'self' 'unsafe-inline' 'unsafe-eval';"
    Header always set Access-Control-Allow-Origin "*"
    Header always set X-Content-Type-Options nosniff
</IfModule>

Convert pfx certificate for apache

Posted on by mario

This is more or less a hint for me how to do it. Maybe it helps you, too.

openssl pkcs12 -in example.com.pfx -clcerts -nokeys -out example.com.crt
openssl pkcs12 -in example.com.pfx -nocerts -out example.com-encrypted.key
openssl rsa -in cert-encrypted.key -out example.com.key
openssl pkcs12 -in example.com.pfx -cacerts -nokeys -out ca-cert.ca

Then in the apache config

SSLCertificateFile certs/example.com.crt
SSLCACertificateFile certs/ca-cert.ca
SSLCertificateKeyFile certs/example.com.key

Fight CBC ciphers with 256 bit alias crypto wars part ten

Posted on by mario

Since a few weeks the ssllabs server tests marks three more ciphers as CBC ciphers. Block ciphers are not secure. And flagged orange in the test results.

The candidates are

ECDHE-RSA-AES256-SHA384
ECDHE-RSA-AES256-SHA
DHE-RSA-AES256-SHA

Removing them form the configuration also means removing the support for several older browsers.

The new recommended cipher suite is:

SSLCipherSuite SSL ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384
SSLCipherSuite TLSv1.3 TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384

 

Thanks to Gregg for showing the other POLY 1305 ciphers that I didn’t know of until today. I saw you post at AL.
Update: I had to remove ECDHE-RSA-CHACHA20-POLY1305 and DHE-RSA-CHACHA20-POLY1305 since they are not HIPAA nor NIST compatible.

The TLS_AES_128_GCM_SHA256 ciphers is mandatory for TLS 1.3, but I kindly ignore that since I want only 256 bit encryption. This is not madness, this is crypto wars.

The whole configuration

<If "%{SERVER_PORT} == '443'">
        <IfModule mod_headers.c>
                Header always set Strict-Transport-Security "max-age=15553000; preload"
        </IfModule>
</If>
SSLUseStapling On
SSLSessionCache shmcb:/opt/apache2/logs/ssl_gcache_data(512000)
SSLStaplingCache shmcb:/opt/apache2/logs/ssl_stapling_data(512000)
SSLOptions +StrictRequire +StdEnvVars -ExportCertData
SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLCompression Off
SSLHonorCipherOrder On
SSLCipherSuite SSL ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384
SSLCipherSuite TLSv1.3 TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384

SSLOpenSSLConfCmd ECDHParameters secp384r1
SSLOpenSSLConfCmd Curves sect571r1:sect571k1:secp521r1:sect409k1:sect409r1:secp384r1:sect283k1:sect283r1:secp256k1:prime256v1

H2Direct On

Wild card domain to localhost because development matters

Posted on by mario

I have an A record for *.local at my test domain to 127.0.0.1

For web development it is often required to have a domain name rather than a subfolder in localhost. A vhost for a (sub)domain is easy to set up on my local apache instllation. I can have even a free, valid SSL certificate for that vhost. Wait, what? How can I have a valid certificate for free for a local domain? I use Let’s encrypt with DNS chalange. Sure every time I have to update the certifacte I have to change a DNS txt record, but that is easy.

Another reason why I have a wild card record to 127.0.0.1 is that I can add as many vhosts for testing to apache and don’t have to add or change the DNS settings. Also I can use it on every computer as long as it can query the DNS server on the internet. I can even give my co worker my vhost config and it works without changes.

So *.local.apachehaus.de is free for development. But you can’t have a SSL certificate. If you want that, you can do the same trick with your domain.  Happy development.

Apache log as JSON

Posted on by mario

It is often required to parse the apache log, but the normal log format requires special handling like: https://github.com/JBlond/apache_log_parser
It is easier to have a direct output like JSON format.

LogFormat "{ \"time\":\"%t\", \"remoteIP\":\"%a\", \"host\":\"%V\", \"request\":\"%U\", \"query\":\"%q\", \"method\":\"%m\", \"status\":\"%>s\", \"userAgent\":\"%{User-agent}i\", \"referer\":\"%{Referer}i\" }" json

Now we have an easy to read log file.

Archive for category apache

Archives by Month: