OpenSRF

Example nginx site file should be made more secure

  1. Series 3.0
  2. Bug #1711145
Bug #1711145 reported by Chris Sharp
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenSRF
Fix Released
Medium
Unassigned
OpenSRF 3.1-beta
2.5
Fix Committed
Medium
Unassigned
OpenSRF 2.5.3
3.0
Fix Released
Medium
Unassigned
OpenSRF 3.0.2

Bug Description

OpenSRF 2.5.0 includes an example nginx site configuration file that allows for proxying as described in the README. As we have learned in our testing, the default SSL setup leaves us open to the "Logjam" attack because of weak Diffie-Hellman key exchange parameters (see https://weakdh.org/). We need to address this, either as a matter of further documentation or with some better defaults in the configuration.

My initial suggestion is to add the suggested configuration from the NGINX section of https://weakdh.org/sysadmin.html to examples/nginx/osrf-ws-http-proxy then provide instructions as to generating the dhparams.pem file (which for consistency would probably live in /etc/apache2/ssl on Debian/Ubuntu systems). That's what we've done on our 2.12 test server with success.

(I'll mention that this issue was discovered using the SSL checking site at https://www.ssllabs.com/ssltest/analyze.html).

Tags: pullrequest
Revision history for this message
Dan Scott (denials) wrote :

Right, here's what we're currently using on Ubuntu 16.04 - a combination of what SSLabs suggested and Mozilla's config generator suggested. The comments might be useful for, for example, generating the dhparams (useful for external docs as well as inside our example config file):

listen 443 ssl http2; # managed by Certbot
#ssl_certificate /etc/letsencrypt/live/boreal-test.concat.ca/fullchain.pem; # managed by Certbot
#ssl_certificate_key /etc/letsencrypt/live/boreal-test.concat.ca/privkey.pem; # managed by Certbot
#include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_certificate /etc/apache2/ssl/server.crt;
ssl_certificate_key /etc/apache2/ssl/server.key;

if ($scheme != "https") {
    return 301 https://$host$request_uri;
} # managed by Certbot

# generate with openssl dhparam -out dhparams.pem 2048
ssl_dhparam /etc/apache2/dhparams.pem;

# From https://mozilla.github.io/server-side-tls/ssl-config-generator/
ssl_prefer_server_ciphers on;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;

# intermediate configuration. tweak to your needs.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';

# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;

# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;

Galen Charlton (gmc)
Changed in opensrf:
importance: Undecided → Medium
status: New → Confirmed
Revision history for this message
Bill Erickson (berick) wrote :

Branch pushed to user/berick/lp1711145-nginx-config-updates @ security.

From the commit:

* Adds security recommendations from
https://mozilla.github.io/server-side-tls/ssl-config-generator/ consistent with Dan's suggestions above.
* Enables http2
* Adds a commented section on enabling SSL everywhere.
* Apply a 5-minute proxy read timeout to avoid too-short timeouts on long API calls.
* Adds a commented section on sending nginx logs to syslog.
* Includes INSTALL notes on generating the dhparam file.

Note a few minor additions will be needed for bug #1777180 (websocketd). I'll push a separate commit for that when the time comes, possibly in the other bug.

tags: added: pullrequest
Revision history for this message
Bill Erickson (berick) wrote :

Rebased working branch to master and pushed another commit with commented-out websocketd configs.

Still at: user/berick/lp1711145-nginx-config-updates @ security

Bill Erickson (berick)
Changed in opensrf:
milestone: none → 3.1-beta
Revision history for this message
Galen Charlton (gmc) wrote :

Changing to a public security bug after discussion with Bill.

information type: Private Security → Public Security
Revision history for this message
Galen Charlton (gmc) wrote :

Tested pushed to master and (sans websocketd patch) rel_3_0 and rel_2_5. Thanks, Bill!

Changed in opensrf:
status: Confirmed → Fix Committed
Galen Charlton (gmc)
Changed in opensrf:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.