SSL/TLS best practices for websites

Keeping Secrets

10.3 HSTS

HTTP Strict Transport Security (HSTS), described in RFC 6797 [1], implements strict rules for encrypting websites. The server discloses the policies in the HTTP response header to compatible browsers (Figure 2).

Figure 2: Twitter announces via HTTP header that it uses HTTP Strict Transport Security (HSTS).

If HSTS is enabled, a compliant web browser exclusively uses TLS to communicate with a website. This approach stops a few security holes that are otherwise hard to close, such as visits via plain text bookmarks or links, insecure cookies, SSL stripping, and mixed content in the same domain. Strict Transport Security also ensures secure handling of invalid certificates. Without HSTS, web browsers let the user decide what to do in case of invalid certificates. But, most users cannot distinguish between attacks and misconfigurations, which makes them potential victims of network attacks. With HSTS, however, invalid certificates remain invalid and cannot be worked around. It is best to enable Strict Transport Security for a complete domain name, including its subdomains.

Configuration Recommendations

The following sample configurations require support for elliptic curve cryptography (EC), which is required for a modern SSL deployment. Unfortunately, EC is not available everywhere. In the case of the Apache web server, EC was introduced in version 2.2.6; many older installations do not include the feature. However, the version number alone is not conclusive. Some distributions, such as Debian, have backported EC for their Apache packages.

A quick look at the release notes is therefore essential. Until recently, Fedora and Red Hat still disabled EC; an update to a recent release should remedy add EC support. In case of emergency, you can build Apache 2.4.x from sources with statically linked Open SSL – see the discussion at the my website [2].

Listing 2 shows the Apache instructions for the global SSL configuration. The configuration information resides in different files on different distributions. In the original source code for Apache 2.4.x, the file is $SERVER_ROOT/conf/extra/httpd-ssl.conf, Debian and Ubuntu use /etc/apache2/mods-available/ssl.conf, and Red Hat uses /etc/httpd/conf.d/ssl.conf. The Mod_SSL Guide [3] includes the SSL configuration directives for Apache. Listing 3 shows the configuration for the nginx web server.

Listing 2

Apache Configuration

01 SSLProtocol all -SSLv2 -SSLv3
02 SSLHonorCipherOrder On
03 SSLCipherSuite "ECDHE-ECDSA-AES128-GCM-SHA256 \
04  ECDHE-ECDSA-AES256-GCM-SHA384 \
05  ECDHE-RSA-AES128-GCM-SHA256 \
06  ECDHE-RSA-AES256-GCM-SHA384 \
07  DHE-RSA-AES128-GCM-SHA256 \
08  DHE-RSA-AES256-GCM-SHA384 \
09  ECDHE-ECDSA-AES128-SHA \
10  ECDHE-ECDSA-AES256-SHA \
11  ECDHE-ECDSA-DES-CBC3-SHA \
12  ECDHE-RSA-AES128-SHA \
13  ECDHE-RSA-AES256-SHA \
14  ECDHE-RSA-DES-CBC3-SHA \
15  DHE-RSA-AES128-SHA \
16  DHE-RSA-AES256-SHA \
17  EDH-RSA-DES-CBC3-SHA \
18  AES128-GCM-SHA256 \
19  AES256-GCM-SHA384 \
20  AES128-SHA \
21  AES256-SHA \
22  DES-CBC3-SHA"
23
24 # Only with Apache 2.2.24+ and Apache 2.4.3+
25 SSLCompression Off
26
27 SSLSessionCache shmcb:/path/to/ssl_scache(1024000)
28 SSLSessionCacheTimeout 3600
29
30 # Only with Apache 2.4.x
31 SSLUseStapling On
32 SSLStaplingCache shmcb:/path/to/stapling_cache(128000)
33 # HSTS policies are persistent; learn more
34 # about HSTS before enabling the following
35 # rule for best security.
36 #Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

Listing 3

Nginx Configuration

01 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
02 ssl_prefer_server_ciphers on;
03 ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-GCM-SHA256 \
  ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-SHA \
  ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-DES-CBC3-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDHE-RSA-DES-CBC3-SHA \
  DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA EDH-RSA-DES-CBC3-SHA AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA \
  AES256-SHA DES-CBC3-SHA";
04 ssl_session_cache shared:ssl_session_cache:1M;
05 ssl_session_timeout 60m;
06 # Only with Nginx 1.4.x and newer
07 ssl_stapling on;
08
09 # HSTS policies are persistent; learn more about HSTS
10 # before enabling the following rule for best security.
10 #add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";

The instructions are contained in the http section of the file, which typically resides in /etc/nginx/nginx.conf. By the way, all the information must be in a single line for the ssl_ciphers statement. See the Nginx project website for documentation on configuring SSL [4].

Infos

HTTP Strict Transport Security (RFC 6797): http://tools.ietf.org/html/rfc6797
Ivan Ristic, "Compiling Apache with static OpenSSL libraries": http://blog.ivanristic.com/2013/08/compiling-apache-with-static-openssl.html
Mod_SSL Manual: http://httpd.apache.org/docs/2.4/mod/mod_ssl.html
SSL for Nginx: http://nginx.org/en/docs/http/ngx_http_ssl_module.html

The Author

Ivan Ristic http://blog.ivanristic.com is the author of the recently published Bulletproof SSL and TLS by Feisty Duck Publishing. The author maintains the website https://www.ssllabs.com, where he publishes tools on SSL/TLS and PKI.

« Previous 1 2 3 4 5