Configuration

Diffie-Hellman (DHE) key exchange should be disabled if no other mitigation mechanism can be used and either elliptic-curve variant of Diffie-Hellman (ECDHE) or RSA key exchange is supported by the clients. The fact that RSA key exchange is not forward secret should be considered.

TLS

Elliptic-curve (named group) setting is necessary only if the underlying cryptographic library supports negotiation Diffie-Hellman groups by implementing RFC7919 in TLS 1.2 or supporting the Finite Field Diffie-Hellman parameter groups named groups in TLS 1.3.

Apache

SSLCipherSuite ...:!kDHE
SSLOpenSSLConfCmd Groups x25519:secp256r1:x448

NGINX

ssl_ciphers ...:!kDHE;
ssl_ecdh_curve x25519:secp256r1:x448;

Postfix

1. Diffie-Hellman key exchange algorithms can be removed by setting the tls_medium_cipherlist configuration option.

   tls_medium_cipherlist ...:!kDHE
   

2. Maximal number of new TLS sessions that a remote SMTP client is allowed to negotiate can be controlled by configuration option smtpd_client_new_tls_session_rate_limit configuration option.

   smtpd_client_new_tls_session_rate_limit 100
   

Others

See moz://a SSL Configuration Generator for configuration syntax.

DH parameter files

If DH key exchange need to be supported recommended private key length value should be set to ensure the best performance of DH key exchange this option value should be set appropriately to achieve the best performance without a security risk.

You can check whether you DH parameter file contains the recommended private key value by the following command:

dh_param_priv_key_size_setter /path/to/dh/parameter/file.pem

The result looks like the following. If the original private key size is None it some cryptographic libraries use the public size for private key size unless the application server overrides this behaviour. This will cause much lower performance than small private keys would be used.

Original private key size: None
Set private key size: None
-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
-----END DH PARAMETERS-----

To set the recommended private key size in a DH parameter file use the following commmand:

dh_param_priv_key_size_setter --private-key-size KEY_SIZE /path/to/dh/parameter/file.pem

For appropriately private key sizes see Table 2 of NIST SP 800-57 Part 1. Alternatively you can download the well-know DH parameters where the recommended private key size is set according to OpenSSL default values from data directory.

SSH

OpenSSH

1. Diffie-Hellman key exchange algorithms can be removed by setting the KexAlgorithms configuration option.

   KexAlgorithms -diffie-hellman-group1-sha1,diffie-hellman-group1-sha256,diffie-hellman-group14-sha1,diffie-hellman-group14-sha256,diffie-hellman-group15-sha256,diffie-hellman-group15-sha512,diffie-hellman-group16-sha256,diffie-hellman-group16-sha512,diffie-hellman-group17-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha512
   

2. Maximum number of concurrent unauthenticated connections can be controlled by some configuration options

   • MaxStartups (globally)

     MaxStartups 10:30:100
     

   • PerSourceMaxStartups (per source IP subnetworks)

     PerSourceMaxStartups 1
     

   • PerSourceNetBlockSize (size of the subnetworks grouped together)

     PerSourceNetBlockSize 32:128
     

VPN

OpenVPN

1. Diffie-Hellman key exchange algorithms can be removed in TLS versions prior to 1.2 by setting the tls-cipher configuration option.

   • using OpenSSL

     tls-cipher ...:!kDHE
     

   • using mbed TLS any cipher suites contain DHE should be removed

2. Finite field Diffie-Hellman groups can be removed in TLS version 1.3 by setting the tls-groups configuration option.

   tls-groups x25519:secp256r1:x448
   

3. Control channel can be authentticated and/or encrypted by setting the tls-auth, tls-crypt, tls-crypt-v2 configuration options.

   tls-auth file
   tls-crypt file
   tls-crypt-v2 file
   

IPsec

StrongSwan

1. Diffie-Hellman key exchange algorithms can be removed by setting the ike configuration option explicitly and not using key exchange algorithms which name start with modp.

2. Maximum number of unauthenticated connections can be controlled by some configuration options

   • cookie_threshold (activate cookie mechanism)

     cookie_threshold 10
     

   • block_threshold (activate block mechanism)

     block_threshold 5
     

Fail2Ban

TLS

Apache

There are no relevant filters.

1. apache-ssl.conf in fail2ban directory should be copied to the filter.d directory under the fail2ban configuration directory

2. the followings should be added to the jail.local file in the fail2ban configuration directory

   [apache-ssl]
   
   port    = https
   logpath = %(apache_error_log)s
   maxretry = 1
   

Postfix

There is a relevant filter, but it is applied only in ddos mode. The followings should be added to jail.local.

[postfix]
mode = ddos

Dovecot

There is a relevant filter, but it is applied only in ddos mode. The followings should be added to jail.local.

[dovecot]
mode = aggressive

or a specific filter can be used without changing the mode of dovecot.

1. dovecot-ssl.conf in fail2ban directory should be copied to the filter.d directory under the fail2ban configuration directory

2. the followings should be added to jail.local in tge fail2ban configuration directory

   [dovecot-ssl]
   
   port    = pop3,pop3s,imap,imaps,submission,465,sieve
   logpath = %(dovecot_log)s
   backend = %(dovecot_backend)s
   maxretry = 1
   

SSH

OpenSSH

There is a relevant filter, but it is applied only in ddos mode. The followings should be added to jail.local.

[sshd]
mode = ddos