Thursday, October 9, 2014

Improve your grades!

Well…school days might be over, but if you’re running a web server servicing HTTPS, you might still care about your grades! I’m referring, of course, to Qualys’ SSL Labs HTTPS testing and grading system. Qualys have set up their free grading service several years ago, and it’s now considered by most to be the de-facto standard for qualifying web servers. For many companies and administrators running public sites, getting an A+ is an important goal and today, I’ll talk about getting that score for your IIS server.

Many people who run Qualys’ test against their IIS are disappointed to get only an A-, with the test quoting the following two reasons:

1. RC4 cipher is used with TLS 1.1 or newer protocols, even though stronger ciphers are available.

2. The server does not support Forward Secrecy with the reference browsers.

Even though Windows Server 2012 was released not very long ago, it still gets this grade on a default configuration. Luckily, though, you can easily adjust your settings to get the desired A+. The key to this is the Cipher Suite priority list that is built-in to the SChannel component of the operating system. When a client (web browser, for example) connects to a server, they conduct a negotiation process during which the client tells the server which cipher suites it supports. The server then goes through its own prioritized list of suits, attempting to find the one that’s as high in the list as possible that’s supported by the client. Once that is determined, the server notifies the client which suite to use, and the connection continues. Let’s see how this looks like in a network-trace (Netmon capture):

Client sending its list to the server:


As you can see, the most preferred cipher suite is TLS_RSA_WITH_AES_128_CBC_SHA256, which is TLS 1.2 using the RSA Key Exchange and Digital Signature (see THIS article about reading Cipher Suite names) and AES based encryption with 128 bit key length, CBC Mode and SHA256 hashing. The packet also shows that the client supports Elliptic Curves and Server Name Indication (SNI) extensions, as well as a few others (the bottom part of the list).

After the server picks the suite that’s best, it tells the client to use it:


As you can see, the server picked TLS_RSA_WITH_AES_128_CBC_SHA, which was actually the 2nd highest item on the client’s list. This suggests the server either doesn’t support the SHA256 hash, or has it lower in its own list of preference. In reality, there are virtually NO servers out there that don’t support SHA256 these days, so the 2nd option is what really happened.

When Qualys’ SSL Labs test examines a server, it establishes several connections, sending various versions of the preference order, to see what the server chooses. If the RC4 cipher is high on the server’s priority list and gets chosen, the grade is reduced. Similarly, if the server has Forward-secrecy based key exchange suites too low in the priority list, which also reduces the grade to A-.

What can you do about it? Well, the ideal solution is to upgrade your server to Windows 2012 R2. This latest version of the server (for now, until the next version is released in 2015) has been programmed with a different default cipher suite order, so that RC4 is de-prioritized, and Forward Secrecy suites are prioritized. This also has other benefits that getting a newer version provides, let’s not forget!

If this is not a viable option, another things one can do is re-order the cipher suite order on his server manually to match the list that’s built-in to Windows 2012 R2. The list is like this:


As you can see, the top 10 suites in this list are perfect forward secrecy based (the ECDHE key exchange algorithm stands for Elliptic Curve Diffie-Helman Ephemeral, where Ephemeral stands for perfect forward secrecy). Also, the RC4 cipher is all the way down in the list.

Changing the order is relatively simple. Officially, you’re supposed to edit Group Policy, as described here. However, NARTAC software have released a tool that makes it a lot easier. It’s called IISCrypto, and is a free download from here. To use it, simply run it on the server, and use the arrows to re-order the list to your liking:


As you can see, the tool can also be used to completely disable certain protocols, ciphers, hashes or key exchange algorithms, and you also have several templates built-in to make things a one-click operation.

One thing to keep in mind is that changes to the order don’t take effect immediately. After you apply them, whether it’s with IISCrypto or differently, you need to reboot the computer. Once you do, SSL Labs should grade you with the sought-after A+

No comments: