GnuTLS Priorities 2015

Unfortunately, TLS has been plagued by several vulnerabilities in recent years, making every HTTPS connection potentially unsafe.

In this article I’ll show you how to get the Grade A+ on SSLLabs  (https://www.ssllabs.com/) through the appropriate use of GnuTLS Priorities.

That is why it is important to conduct a review of the cryptographic algorithms to be used today couple of years ago, we thought that RC4 was an strong encryption algorithm that had the ability to mitigate attacks such as BEAST.

I always had doubts about RC4but criticize something that mitigated beast was swimming against the tide.

Obtaining Grade A+

snap_ssllabs

Today to get an A+ on SSLLabs (main reference on SSL/TLS configuration), we have to keep several things:

  • TLSv1.2 (previous versions are considered weak)
  • Mitigate several attacks (BEAST, CRIME, etc)
  • Perfect Forward Secrecy (Diffie-Hellman Efimero)
  • To use >128bit  on symmetric encryption algorithms
  • To use > 2048bit on RSA based asymmetric encryption algorithms (or equivalent strong for Elliptic Curve).
  • To use SHA signature algorithms >= 256-bit (256,384,512), avoid SHA-1
  • Avoid weak signature algorithms eg. MD5
  • To use HSTS (@HTTP Headers), for obtaining the A+

How to configure the GnuTLS

Setting up the GnuTLS to meet this requirement is very simple. GnuTLSPriorities need to use the following line:

GnuTLSPriorities SECURE128:+SECURE192:+SECURE256:-VERS-TLS-ALL:+VERS-TLS1.2:-ARCFOUR-128:-SHA1:-RSA:%SERVER_PRECEDENCE
  • Secure128 & 192: These options in my opinion should not be here, but guarantees compatibility with Firefox NSS library. If we remove it, we will only be compatible with Chrome and Opera.
  • Secure256: best set of symmetric encryption algorithms based on 256 bit symmetric algorithms.
  • -VERS-TLS-ALL:+VERS-TLS1.2 Deshabilita todos los algoritmos TLS menos TLS 1.2
  • -ARCFOUR-128: Disables RC4
  • -SHA1: Disables SHA1, which is a weak hashing algorithm.
  • -RSA: Disables RSA for the key exchange. We will only use perfect forward secrecy.

Using this way we can achieve Grade A on SSL Labs.

How to configure the WordPress or any application in PHP to set the HSTS (Grade A+):

DISCLAIMER: Use at your own risk, you should be careful, wrong settings or configurations may cause denial of service for a long time (months or years).

To configure the wordpress with HSTS, you may use this plugin I recommend:

https://wordpress.org/plugins/security-headers/

And to set up any PHP site with HSTS, you must put the following code in the first PHP line, especially at index.php:

header("Strict-Transport-Security: max-age=31536000;");

** It is important not to print any HTML bordering the PHP before sending the header, because otherwise it will fail.

This will tell the browser: keep the site in HTTPS strictly for a full year. Then, the browser will reject plain HTTP browsing.

 


Thanks to Howard Fried (@cyberhoward) for remembering to check my TLS configuration.

Leave a Reply