Virtuoso Open-Source Edition

  • Topic
  • Discussion
  • VOS.VirtTipsAndTricksManageSSLProtocols(Last) -- DAVWikiAdmin? , 2019-04-15 14:59:53 Edit WebDAV System Administrator 2019-04-15 14:59:53

    Managing SSL Protocols and Ciphers used with Virtuoso

    What

    As of Virtuoso 7.2, SSL protocol and cipher support is now configurable for connections from all HTTP, ODBC, JDBC, ADO.NET, and OLE-DB clients.

    Why

    Default binding to OpenSSL can expose Virtuoso instances to version- and cipher-specific SSL vulnerabilities (e.g., recent Poodle exploit). Being able to scope Virtuoso's use of SSL to one or more specific versions provides instance administrators better protection against a moving target.

    How

    Basic SSL Protocol Configuration

    Basic configuration is through the SSL_Protocols values in the [Parameters] and [HTTP] sections of the Virtuoso INI file. These are comma+space-separated (", ") value lists. Including a protocol name explicitly enables it; preceding the protocol name with an exclamation point ("!") explicitly disables it.

    Supported SSL Protocols and INI keyword values

    SSL/TLS Version Value for INI file Notes
    SSL 2.0 Permanently disabled.
    SSL 3.0 SSLv3 Disabled by default. To our knowledge, only required by IE6/Windows XP clients.
    TLS 1.0 TLSv1 Enabled by default.
    TLS 1.1 TLSv1.1 Enabled by default, supported if available in local openssl library.
    TLS 1.2 TLSv1.2 Enabled by default, supported if available in local openssl library.

    Advanced SSL Cipher List Configuration

    The SSL_Cipher_List values in the [Parameters] and [HTTP] stanzas of the Virtuoso INI file may also be adjusted, to disable particular ciphers when there are security reports about some new attack that breaks them. These are colon-separated (":") value lists.

    Including a protocol name or groupname explicitly enables it; preceding the protocol name with an exclamation point ("!") explicitly disables it. You can review the ciphers supported by your local OpenSSL library with the command

    openssl ciphers -v ALL
    

    For instance, we recommend explicitly forbidding anonymous cipher suites (i.e., ones that don?t use certificates, and are therefore susceptible to man-in-the-middle attacks) using !aNULL.

    We also recommend including @STRENGTH at the end of the list, so that OpenSSL will prioritize the enabled ciphers by key length, regardless of the list order.

    Recommended Settings

    The sample settings below provide a reasonable tradeoff of security versus flexibility. As shown, we have enabled SSLv3 on the HTTPS ports for IE6 users, but left this disabled on the SQL data port.

    [Parameters]
    SSL_Protocols	= TLSv1, TLSv1.1, TLSv1.2
    SSL_Cipher_List = HIGH:!aNULL:!eNULL:!RC4:!DES:!MD5:!PSK:!SRP:!KRB5:!SSLv2:!EXP:!MEDIUM:!LOW:!DES-CBC-SHA:@STRENGTH
    
    [HTTP]
    SSL_Protocols	= SSLv3, TLSv1, TLSv1.1, TLSv1.2
    SSL_Cipher_List = HIGH:!aNULL:!eNULL:!RC4:!DES:!MD5:!PSK:!SRP:!KRB5:!SSLv2:!EXP:!MEDIUM:!LOW:!DES-CBC-SHA:@STRENGTH
    

    Related