In the past year much noise has been made about TLS (Transport Layer Security) due to the Heartbleed vulnerability and the subsequent (ongoing) audit of the OpenSSL project. While most hosts are now patched for Heartbleed (you have checked all of your devices, right?), the proper configuration of TLS/SSL and the associated cipher suites on web servers is an ongoing issue that most people haven't thought about. As it turns out, a proper TLS implentation with Perfect Forward Secrecy enabled could have negated some of the effects of Heartbleed to begin with. There are many other reasons for configuring TLS properly, so let's dive in.
Hold on. What happened to SSL?
TLS is the successor to SSL though the term SSL still hangs around, especially as it pertains to digital certificates. So, when we're talking about TLS, you can assume it pertains to everything we've previously called SSL. TLS is actually on its third iteration now (version 1.2), so SSL should absolutely be considered a legacy protocol at this point.
The TLS Configuration
How you configuration TLS will depend on the web server you're using. For example, an Apache webserver's TLS configuration can usually be found in the httpd.conf or ssl.conf file. For an IIS web server, typically registry keys have to be modified in order to configure TLS. How to configure your brand of web server is beyond the scope of this document, but we will get in to some specifics below. We'll also provide some links for Apache and IIS at the end. Regardless of the type of server you are using, there are three things you need to know:
1. SSL is Dead
Unless you have a very good reason for enabling it you should disable all versions of SSL. SSLv3 may rarely be needed to ensure backwards compatibility with older browsers, but any modern browser will no longer need it. SSLv2 should never be enabled as the protocol is broken and insecure. Edit: As of the evening on the date this entry was originally published, SSLv3 is now also considered broken. Google published a vulnerability in the protocol, which preculdes it from further use. TLS should be considered your only option at this point.
2. Higher versions of TLS are More Secure
TLS 1.0 is less secure than TLS 1.1, and TLS 1.1 is less secure than 1.2. The more modern the browsers that will be connecting to your site, the more restrictive you should be about supporting higher versions of TLS. If you have analytics that tell you 99% of users are using the most recent versions of the major four browsers, you should consider a strict TLS 1.2 implementation. For more information about which versions of TLS are supported by which browsers, please see this table: http://en.wikipedia.org/wiki/Transport_Layer_Security#Web_browsers
3. Cipher Suite Order Matters
This is where most TLS implementations go wrong. Even if you've done everything else correctly, if you don't set the cipher suite order correctly your implementation will be broken. For those who may not know, ciphers decide exactly which types of security will be used for the TLS connection. The order of the accepted cipher suites in your TLS configuration tells browsers what the server's preference is for the cipher suite to be used. If a weaker cipher suite is listed first, that's the one that will be used. The IT Security Office recommends following the Mozilla Foundation's guide to cipher suites. (Link: https://wiki.mozilla.org/Security/Server_Side_TLS) Their guide details both a preferred cipher suite list for backwards compatibility, as well as a more progressive suite where backwards compability is less of a concern.
One more thing: Perfect Forward Secrecy
Perfect Forward Secrecy (PFS) is an extra layer of security for TLS that protects past TLS communications that may have been intercepted in the event that the server's private key is compromised. For a full explaination, see the Mozilla Foundations guide to Forward Secrecy (Link: https://wiki.mozilla.org/Security/Server_Side_TLS#Forward_Secrecy) Cipher suites supporting PFS should always be at the top of a configured cipher suite list. Some older versions of OpenSSL may not support PFS, but better support for PFS and later versions of TLS would be strong reasons to consider upgrading.
Is My Web Server Okay?
Probably not. In fact, most web servers using SSL/TLS are not optimally configured. That has slowly been improving in the wake of Heartbleed, but there's still much work to be done. If you'd like to check your SSL/TLS site, the ITSO highly recommends the use of Qualys' SSL Labs site (Link: https://www.ssllabs.com/ssltest/). This site will detail any configuration issues and grade your site overall.
As always, if you have any questions or require assistance in securing your site, please contact the ITSO at firstname.lastname@example.org. We're always happy to help. And remember, encrypt everything!
For more on Apache TLS configuration:
For more on IIS/Windows Server TLS configuration: