7.12 Ensure Only Cipher Suites That Provide Forward Secrecy Are Enabled

Information

In cryptography, forward secrecy (FS), which is also known as perfect forward secrecy (PFS), is a feature of specific key exchange protocols that give assurance that your session keys will not be compromised even if the private key of the server is compromised. Protocols such as RSA do not provide the forward secrecy, while the protocols ECDHE (Elliptic-Curve Diffie-Hellman Ephemeral) and the DHE (Diffie-Hellman Ephemeral) will provide forward secrecy. The ECDHE is the stronger protocol and should be preferred, while the DHE may be allowed for greater compatibility with older clients. The TLS ciphers should be configured to require either the ECDHE or the DHE ephemeral key exchange, while not allowing other cipher suites.

Rationale:

During the TLS handshake, after the initial client & server Hello, there is a pre-master secret generated, which is used to generate the master secret, and in turn generates the session key. When using protocols that do not provide forward secrecy, such as RSA, the pre-master secret is encrypted by the client with the server's public key and sent over the network. However, with protocols such as ECDHE (Elliptic-Curve Diffie-Hellman Ephemeral) the pre-master secret is not sent over the wire, even in encrypted format. The key exchange arrives at the shared secret in the clear using ephemeral keys that are not stored or used again. With FS, each session has a unique key exchange, so that future sessions are protected.

Solution

Perform one of the following to implement the recommended state:

Add or modify the following line in the Apache server level configuration and every virtual host that is SSL/TLS enabled:

SSLCipherSuite EECDH:EDH:!NULL:!SSLv2:!RC4:!aNULL:!3DES:!IDEA

The more recent versions of openssl (such as 1.0.2 and newer) will support the usage of ECDHE as a synonym for EECDH and DHE as a synonym for EDH in the cipher specification. The usage of ECDHE and DHE are preferred so that the specification matches the expected output. So, the cipher specification could be:

SSLCipherSuite ECDHE:DHE:!NULL:!SSLv2:!RC4:!aNULL:!3DES:!IDEA

Default Value:

The default value for SSLCipherSuite depends on OpenSSL library version used.

See Also

https://workbench.cisecurity.org/files/3021