SSL Termination & The BEAST

Security Published on 2 mins Last updated

Over the last few weeks we have seen more and more users reporting that they have run a security check on the SSL certificate thats installed on their Loadbalancer appliance using the Trustworty Internet Movement web site (https://www.trustworthyinternet.org/ssl-pulse/).

The idea behind the site is basically to test as many SSL certificates on the Internet as possible and check for any vulnerabilities like having SSLv2 enabled or weak Key Cipher lists. The test takes about 2 minutes to run and will give you a report on the status of your SSL Certificate and the associated services that it uses.

From this we found that the version of Pound SSL Proxy that we were using with our v6.x appliance was not as secure as it could be. Which has lead to a new release of our hardware software to v6.19.

NB. 'not as secure as it could be' does not mean a security problem, the BEAST attack is really a client side attack and nothing to do with load balancers <- Annoying comment added by Editor :-).

The main issue that we have been facing is the 'BEAST Attack' which is basically:

The BEAST attack is a practical attack based on a protocol vulnerability that was discovered in 2004. A successful exploitation of this issue will result in a disclosure of victim's session cookies, allowing the attacker to completely hijack the application session. Despite having been addressed in TLS v1.1 in 2006, the problem is still relevant because most clients and servers do not support newer protocol versions. Practical mitigation requires that your servers speak only RC4 when using TLS v1.0 or SSL v3.0*

So what can we do? Simply updating to the latest stable build of Pound would not be enough as we also need to allow for 'Honor Cipher Order' and 'Allow Client Renegotiation' as with using these two extra options an a secure cipher list we can mitigate the BEAST Attack, DoS Attacks and MITM Attacks which is a win, win solution. Also we need to continue to provide the Transparency into the backend servers.

So then on a Centos 5.8 x64 build box follow these steps:

wget http://www.apsis.ch/pound/Pound-2.6.tgz
tar -zxf Pound-2.6.tgz
cd Pound-2.6
wget http://downloads.loadbalancer.org/PoundSSL-Beast/pound-tproxy-beast.patch
patch -i pound-tproxy-beast.patch
wget http://downloads.loadbalancer.org/PoundSSL-Beast/pound-beast-renegotiatin.patch
patch -i pound-beast-renegotiatin.patch
./configure
You may find that this step fails with 'Missing OpenSSL (-lcrypto) - aborted' you will need to edit the configure file on line 3235 and remove '-Wno-unused-result'
make TPROXY=1

That's all there is to the build, but you now have two new options available in the Pound Configuration as mentioned before.

With SSLHonorCipherOrder set to enabled '1' and SSLAllowClientRenegotiation disabled '0' along with an SSL cipher list like 'RC4:HIGH:!MD5:!aNULL' your system should pass the Trustworthy Internet Movement scan along with not being susceptible to either the BEAST Attack, DoS Attack or MITM Attack.

An example of a Pound Configuration file including the new options would look like:

User            "nobody"
Group           "nobody"
LogLevel        1
LogFacility     local3
Client          30
Timeout         60
ListenHTTPS
# Label: SSL1
Address xxx.xxx.xxx.xxx
Port    443
Cert    "/etc/pound/certs/SSL1.pem"
SSLHonorCipherOrder     1
SSLAllowClientRenegotiation     0
ReWriteLocation 1
Ciphers " RC4:HIGH:!MD5:!aNULL "
Service
BackEnd
Address xxx.xxx.xxx.xxx
Port    81
End
End
End

* Taken from the Trustworthy Internet Movement Documentation