Difference between revisions of "Enhancing SSL Security"
[unchecked revision] | [checked revision] |
(Created page with "The default configuration of most operating systems allow any set of supported ciphers and hashes to be used by applications when acting as SSL client or server. While this en...") |
Ltalaschus (talk | contribs) |
||
(10 intermediate revisions by 4 users not shown) | |||
Line 1: | Line 1: | ||
The default configuration of most operating systems allow any set of supported ciphers and hashes to be used by applications when acting as SSL client or server. While this ensures full compatibility with other client and server applications, it does no longer match the expectation in SSL encrypted communication in regards to privacy and trust due to supporting insecure protocols, cipher suites and hash algorithms. | The default configuration of most operating systems allow any set of supported ciphers and hashes to be used by applications when acting as SSL client or server. While this ensures full compatibility with other client and server applications, it does no longer match the expectation in SSL encrypted communication in regards to privacy and trust due to supporting insecure protocols, cipher suites and hash algorithms. | ||
− | + | Therefore enhancing the security of SSL mainly consists of disabling these insecure protocols, ciphers and hashes as well as prioritize cipher suites that allow the usage of [[wikipedia:Perfect Forward Secrecy|Perfect Forward Secrecy]]. | |
− | As MailStore Server relies on Windows' security support provider (SSP) called ''Secure Channel'' (also known as ''Schannel''), a number of registry keys have to be created or modified in order to disable insecure protocols, ciphers and hashes. Although Microsoft's | + | As MailStore Server relies on Windows' security support provider (SSP) called ''Secure Channel'' (also known as ''Schannel''), a number of registry keys have to be created or modified in order to disable insecure protocols, ciphers and hashes. Although Microsoft's article [https://docs.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings Transport Layer Security (TLS) registry settings] describes in detail which registry keys affect the security provider settings, it is not recommended to manually change these keys. A safer way to adjust the ''Schannel'' settings for server applications is [https://www.nartac.com/ Nartac Software's IIS Crypto] tool. |
<p class="mswarning">'''Important note: ''' Modifying the configuration of the security support provider (SSP) in Windows may affect general operating system functions such as authentication services and remote desktop and management capabilities or other third party applications that rely on SSP. Thus careful testing of all services is required after applying the changes. </p> | <p class="mswarning">'''Important note: ''' Modifying the configuration of the security support provider (SSP) in Windows may affect general operating system functions such as authentication services and remote desktop and management capabilities or other third party applications that rely on SSP. Thus careful testing of all services is required after applying the changes. </p> | ||
== Recommended Settings == | == Recommended Settings == | ||
− | Highest level of security can be achieved with the following settings in ''IIS Crypto'' on the MailStore Server computer. | + | Highest level of security can be achieved with the following settings in ''IIS Crypto'' on the MailStore Server computer. Some options are only available on Windows Server 2022 and Windows 11. |
− | |||
− | |||
{| class="wikitable" | {| class="wikitable" | ||
| '''Protocols Enabled''' | | '''Protocols Enabled''' | ||
− | | TLS 1. | + | | TLS 1.3<br/> |
+ | TLS 1.2 | ||
|- | |- | ||
| '''Ciphers Enabled''' | | '''Ciphers Enabled''' | ||
− | | AES 128/128<br/>AES 256/256 | + | | AES 128/128<br/> |
+ | AES 256/256 | ||
|- | |- | ||
| '''Hashes Enabled''' | | '''Hashes Enabled''' | ||
− | | SHA | + | | SHA<br/> |
+ | SHA256<br/> | ||
+ | SHA384<br/> | ||
+ | SHA512<br/> | ||
|- | |- | ||
| '''Key Exchange Enabled''' | | '''Key Exchange Enabled''' | ||
− | | Diffie-Hellman<br/>PKCS | + | | Diffie-Hellman<br/> |
+ | PKCS<br/> | ||
+ | ECDH | ||
|- | |- | ||
| '''SSL Cipher Suite Order''' | | '''SSL Cipher Suite Order''' | ||
− | | | + | | TLS_AES_256_GCM_SHA384<br/> |
− | + | TLS_AES_128_GCM_SHA256<br/> | |
− | + | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384<br/> | |
− | + | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256<br/> | |
− | + | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384<br/> | |
− | + | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256<br/> | |
− | + | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA<br/> | |
− | + | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA<br/> | |
− | + | TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384<br/> | |
− | + | TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256<br/> | |
− | + | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384<br/> | |
− | + | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256<br/> | |
− | + | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA<br/> | |
− | + | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA<br/> | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
|} | |} | ||
+ | |||
+ | [[de:SSL-Sicherheit verbessern]] | ||
+ | [[en:Enhancing SSL Security]] |
Latest revision as of 14:04, 22 August 2023
The default configuration of most operating systems allow any set of supported ciphers and hashes to be used by applications when acting as SSL client or server. While this ensures full compatibility with other client and server applications, it does no longer match the expectation in SSL encrypted communication in regards to privacy and trust due to supporting insecure protocols, cipher suites and hash algorithms.
Therefore enhancing the security of SSL mainly consists of disabling these insecure protocols, ciphers and hashes as well as prioritize cipher suites that allow the usage of Perfect Forward Secrecy.
As MailStore Server relies on Windows' security support provider (SSP) called Secure Channel (also known as Schannel), a number of registry keys have to be created or modified in order to disable insecure protocols, ciphers and hashes. Although Microsoft's article Transport Layer Security (TLS) registry settings describes in detail which registry keys affect the security provider settings, it is not recommended to manually change these keys. A safer way to adjust the Schannel settings for server applications is Nartac Software's IIS Crypto tool.
Important note: Modifying the configuration of the security support provider (SSP) in Windows may affect general operating system functions such as authentication services and remote desktop and management capabilities or other third party applications that rely on SSP. Thus careful testing of all services is required after applying the changes.
Recommended Settings
Highest level of security can be achieved with the following settings in IIS Crypto on the MailStore Server computer. Some options are only available on Windows Server 2022 and Windows 11.
Protocols Enabled | TLS 1.3 TLS 1.2 |
Ciphers Enabled | AES 128/128 AES 256/256 |
Hashes Enabled | SHA SHA256 |
Key Exchange Enabled | Diffie-Hellman PKCS |
SSL Cipher Suite Order | TLS_AES_256_GCM_SHA384 TLS_AES_128_GCM_SHA256 |