McAfee scans our server for vulnerabilities. I have just received this notification from them:
Birthday attacks against TLS ciphers with 64bit block size vulnerability (Sweet32)
Threat
Legacy block ciphers having block size of 64 bits are vulnerable to a practical collision attack when used in CBC mode. All versions of SSL/TLS protocol support cipher suites which use DES or 3DES as the symmetric encryption cipher are affected.
Impact
Remote attackers can obtain cleartext data via a birthday attack against a long-duration encrypted session.
Solution
Disable and stop using DES and 3DES ciphers. The following openssl commands can be used to do a manual test: openssl s_client -connect ip:port -cipher “DES:3DES” -ssl2 openssl s_client -connect ip:port -cipher “DES:3DES” -ssl3 openssl s_client -connect ip:port -cipher “DES:3DES” -tls1 openssl s_client -connect ip:port -cipher “DES:3DES” -tls1_1 openssl s_client -connect ip:port -cipher “DES:3DES” -tls1_2 If any of these tests is successful, then the target is vulnerable to Sweet32.
It's true that using these ciphers is not that great. On the bright side, you would only use them if they're preferred for backwards compatibility reasons by a specific client application like an obsolete web browser version.
Certbot's defaults are taken from the Mozilla configuration generator at
—in particular, the "Intermediate" settings. This is meant to reflect a trade-off between security and backwards compatibility in order to allow older browsers to continue to work with your site even if they only support less-modern cryptographic algorithms. This doesn't necessarily harm security when people connect to the site with modern software.
If you want to get rid of the warning in the McAfee scan, you can switch to the Modern profile from the Mozilla generator. As the Mozilla site explains, this will also have the effect of reducing your site compatibility from
Oldest compatible clients: Firefox 1, Chrome 1, IE 7, Opera 5, Safari 1, Windows XP IE8, Android 2.3, Java 7
to
Oldest compatible clients: Firefox 27, Chrome 30, IE 11 on Windows 7, Edge, Opera 17, Safari 9, Android 5.0, and Java 8
That’s definitely been planned, but I don’t believe that that feature has landed in the released versions of Certbot, although I might be misremembering.
In options-ssl-apache.conf it basically says do not modify the file. I take it from you response, that modifying the SSLCipherSuite will not make it so future security updates cannot be applied automatically? Or should I just update my own ssl.conf file, and not include this in my virtual host files?
It’s possible that modifying the file might have the effect of preventing certain kinds of automated updates in the future (specifically, if Certbot itself tries to change the ciphersuite configuration for you). As far as I know, such updates haven’t occurred yet in Certbot’s history, so this might not be a very big impact. However, if you do care about choosing your own ciphersuite configuration, you might also want to stay on top of the issue in the future, for example by checking in occasionally on the Mozilla site to see whether the recommendations have changed, or perhaps by subscribing to Ivan Ristić’s newsletter at