Hi all,
I have the open source chef server 12 installed and I want to change the
self signed SSL certificate for a trusted SSL certificate and at the same
time pass the test here: https://www.ssllabs.com/ssltest/index.html
After the last Logjam vulnerability I’ve bought a Possitive SSL wildcard
cert (I use *.mydomain.com in several servers with different subdomains)
and I’ve put my .key file and .crt file in /etc/opscode/. In the
/etc/opscode/chef-server.rb I’ve added:
nginx[‘ssl_certificate’] = “/etc/opscode/camydomain.com.crt” => here,
there is a concatenated file with my
serverdomain.crt COMODORSADomainValidationSecureServerCA.crt
COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt, in this order.
nginx[‘ssl_certificate_key’] = "/etc/opscode/mydomain.com.key"
nginx[‘ssl_ciphers’] =
"ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
nginx[‘ssl_protocols’] = "TLSv1 TLSv1.1 TLSv1.2"
nginx[‘ssl_prefer_server_ciphers’] = "on"
nginx[‘ssl_dhparam’] = “/etc/ssl/private/dhparams.pem”
And I’ve created /etc/ssl/private/dhparams.pem with the command “openssl
dhparam -out dhparams.pem 2048”, following these instruccions:
https://weakdh.org/sysadmin.html
Finally I run: chef-server-ctl reconfigure and I can see how it has been
added in /etc/opscode/.chef-server-running.json.
But if I check my site again I obtain a B rate with the following message:
“This server supports weak Diffie-Hellman (DH) key exchange parameters.
Grade capped to B”
Someone knows what I am missing?
/opt/opscode/embedded/bin/openssl version
OpenSSL 1.0.1m 19 Mar 2015
Thanks in advance
1 Like
I suspect you need to remove the DSS ciphers too (and probably explicitly
exclude them with !DSS).
See e.g.
Regards,
Christine
On Mon, Jun 8, 2015 at 7:21 PM, bln workplace bln.workplace@gmail.com
wrote:
Hi all,
I have the open source chef server 12 installed and I want to change the
self signed SSL certificate for a trusted SSL certificate and at the same
time pass the test here: SSL Server Test (Powered by Qualys SSL Labs)
After the last Logjam vulnerability I've bought a Possitive SSL wildcard
cert (I use *.mydomain.com in several servers with different subdomains)
and I've put my .key file and .crt file in /etc/opscode/. In the
/etc/opscode/chef-server.rb I've added:
nginx['ssl_certificate'] = "/etc/opscode/camydomain.com.crt" => here,
there is a concatenated file with my
serverdomain.crt COMODORSADomainValidationSecureServerCA.crt
COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt, in this order.
nginx['ssl_certificate_key'] = "/etc/opscode/mydomain.com.key"
nginx['ssl_ciphers'] =
"ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
nginx['ssl_protocols'] = "TLSv1 TLSv1.1 TLSv1.2"
nginx['ssl_prefer_server_ciphers'] = "on"
nginx['ssl_dhparam'] = "/etc/ssl/private/dhparams.pem"
And I've created /etc/ssl/private/dhparams.pem with the command "openssl
dhparam -out dhparams.pem 2048", following these instruccions:
Logjam: PFS Deployment Guide
Finally I run: chef-server-ctl reconfigure and I can see how it has been
added in /etc/opscode/.chef-server-running.json.
But if I check my site again I obtain a B rate with the following message:
"This server supports weak Diffie-Hellman (DH) key exchange parameters.
Grade capped to B"
Someone knows what I am missing?
/opt/opscode/embedded/bin/openssl version
OpenSSL 1.0.1m 19 Mar 2015
Thanks in advance
You can also find example configurations that should pass the SSL Labs test
here:
https://cipherli.st
On Tue, Jun 9, 2015 at 5:57 AM Christine Draper <
christine_draper@thirdwaveinsights.com> wrote:
I suspect you need to remove the DSS ciphers too (and probably explicitly
exclude them with !DSS).
See e.g.
tls - Recommended ssl_ciphers for security, compatibility - Perfect Forward secrecy - Information Security Stack Exchange
Regards,
Christine
On Mon, Jun 8, 2015 at 7:21 PM, bln workplace bln.workplace@gmail.com
wrote:
Hi all,
I have the open source chef server 12 installed and I want to change the
self signed SSL certificate for a trusted SSL certificate and at the same
time pass the test here: SSL Server Test (Powered by Qualys SSL Labs)
After the last Logjam vulnerability I've bought a Possitive SSL wildcard
cert (I use *.mydomain.com in several servers with different subdomains)
and I've put my .key file and .crt file in /etc/opscode/. In the
/etc/opscode/chef-server.rb I've added:
nginx['ssl_certificate'] = "/etc/opscode/camydomain.com.crt" => here,
there is a concatenated file with my
serverdomain.crt COMODORSADomainValidationSecureServerCA.crt
COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt, in this order.
nginx['ssl_certificate_key'] = "/etc/opscode/mydomain.com.key"
nginx['ssl_ciphers'] =
"ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
nginx['ssl_protocols'] = "TLSv1 TLSv1.1 TLSv1.2"
nginx['ssl_prefer_server_ciphers'] = "on"
nginx['ssl_dhparam'] = "/etc/ssl/private/dhparams.pem"
And I've created /etc/ssl/private/dhparams.pem with the command "openssl
dhparam -out dhparams.pem 2048", following these instruccions:
Logjam: PFS Deployment Guide
Finally I run: chef-server-ctl reconfigure and I can see how it has been
added in /etc/opscode/.chef-server-running.json.
But if I check my site again I obtain a B rate with the following
message: "This server supports weak Diffie-Hellman (DH) key exchange
parameters. Grade capped to B"
Someone knows what I am missing?
/opt/opscode/embedded/bin/openssl version
OpenSSL 1.0.1m 19 Mar 2015
Thanks in advance
Thanks for your answers.
As far I can see the problem is the server ciphers to 1024 bits by default.
When I put nginx['ssl_dhparam'] = "/etc/ssl/private/dhparams.pem" in the
/etc/opscode/chef-server.rb file this parameter doesn't apply when I run
chef-server-ctl reconfigure, it's ignored.
If I try to put this DH parameter in
/var/opt/opscode/nginx/etc/chef_http_lb.conf file my server uses my new
dhparams.pem to 2048 bits so I pass the vulnerability test but when I run
chef-server-ctl reconfigure this parameter is gone.
So my provisional solution is to create a new file in
/var/opt/opscode/nginx/etc/nginx.d/dhparams.conf for adding non default
configuration to nginx and in this file I have put the path to my new
Diffie-Hellman group:
ssl_dhparam /etc/ssl/private/dhparams.pem;
I think this is a nasty solution by I don't know another better at the
moment. Maybe this ssl_dhparam could be recognized by default or maybe I
need to put this parameter in another side that I don't know or maybe is a
bug...
2015-06-09 16:47 GMT+02:00 Brandon Raabe brandocorp@gmail.com:
You can also find example configurations that should pass the SSL Labs
test here:
https://cipherli.st
On Tue, Jun 9, 2015 at 5:57 AM Christine Draper <
christine_draper@thirdwaveinsights.com> wrote:
I suspect you need to remove the DSS ciphers too (and probably explicitly
exclude them with !DSS).
See e.g.
tls - Recommended ssl_ciphers for security, compatibility - Perfect Forward secrecy - Information Security Stack Exchange
Regards,
Christine
On Mon, Jun 8, 2015 at 7:21 PM, bln workplace bln.workplace@gmail.com
wrote:
Hi all,
I have the open source chef server 12 installed and I want to change the
self signed SSL certificate for a trusted SSL certificate and at the same
time pass the test here: SSL Server Test (Powered by Qualys SSL Labs)
After the last Logjam vulnerability I've bought a Possitive SSL wildcard
cert (I use *.mydomain.com in several servers with different
subdomains) and I've put my .key file and .crt file in /etc/opscode/. In
the /etc/opscode/chef-server.rb I've added:
nginx['ssl_certificate'] = "/etc/opscode/camydomain.com.crt" => here,
there is a concatenated file with my
serverdomain.crt COMODORSADomainValidationSecureServerCA.crt
COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt, in this order.
nginx['ssl_certificate_key'] = "/etc/opscode/mydomain.com.key"
nginx['ssl_ciphers'] =
"ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
nginx['ssl_protocols'] = "TLSv1 TLSv1.1 TLSv1.2"
nginx['ssl_prefer_server_ciphers'] = "on"
nginx['ssl_dhparam'] = "/etc/ssl/private/dhparams.pem"
And I've created /etc/ssl/private/dhparams.pem with the command "openssl
dhparam -out dhparams.pem 2048", following these instruccions:
Logjam: PFS Deployment Guide
Finally I run: chef-server-ctl reconfigure and I can see how it has been
added in /etc/opscode/.chef-server-running.json.
But if I check my site again I obtain a B rate with the following
message: "This server supports weak Diffie-Hellman (DH) key exchange
parameters. Grade capped to B"
Someone knows what I am missing?
/opt/opscode/embedded/bin/openssl version
OpenSSL 1.0.1m 19 Mar 2015
Thanks in advance
On Wednesday, June 10, 2015 at 7:52 AM, bln workplace wrote:
Thanks for your answers.
As far I can see the problem is the server ciphers to 1024 bits by default. When I put nginx['ssl_dhparam'] = "/etc/ssl/private/dhparams.pem" in the /etc/opscode/chef-server.rb file this parameter doesn't apply when I run chef-server-ctl reconfigure, it's ignored.
If I try to put this DH parameter in /var/opt/opscode/nginx/etc/chef_http_lb.conf file my server uses my new dhparams.pem to 2048 bits so I pass the vulnerability test but when I run chef-server-ctl reconfigure this parameter is gone.
So my provisional solution is to create a new file in /var/opt/opscode/nginx/etc/nginx.d/dhparams.conf for adding non default configuration to nginx and in this file I have put the path to my new Diffie-Hellman group:
ssl_dhparam /etc/ssl/private/dhparams.pem;
I think this is a nasty solution by I don't know another better at the moment. Maybe this ssl_dhparam could be recognized by default or maybe I need to put this parameter in another side that I don't know or maybe is a bug...
I don’t remember any of this stuff well enough to answer your questions directly, but the cookbook that configures chef-server is here: https://github.com/chef/chef-server/tree/master/omnibus/files/private-chef-cookbooks/private-chef
If it doesn’t do what you need now, then you could submit a patch.
--
Daniel DeLeo