SSL Cipher Suite question

[morrow95]

In 'Home - Service Configuration - Apache Configuration - Global Configuration' I am using the default SSL Cipher Suite :

ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

and have SSL/TLS Protocols set to the default TLSv1.2.

I recently came across an issue with a 3rd party billing processor we use in that it can't connect to our site through https (API type stuff which sends back information to them when they hit the pages). After going back and forth with their support about this they recently came back and said that we are not offering any ciphers they support and that is why they can't connect to our pages. They gave the following list of ciphers they support :

Cipher# 0: TLS_RSA_WITH_AES_256_CBC_SHA256
Cipher# 1: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Cipher# 2: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Cipher# 3: TLS_RSA_WITH_AES_256_CBC_SHA
Cipher# 4: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Cipher# 5: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
Cipher# 6: TLS_RSA_WITH_AES_128_CBC_SHA256
Cipher# 7: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
Cipher# 8: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
Cipher# 9: TLS_RSA_WITH_AES_128_CBC_SHA
Cipher# 10: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
Cipher# 11: TLS_DHE_DSS_WITH_AES_128_CBC_SHA
Cipher# 12: TLS_EMPTY_RENEGOTIATION_INFO_SCSV
Cipher# 13: TLS_DH_anon_WITH_AES_256_CBC_SHA256
Cipher# 14: TLS_DH_anon_WITH_AES_256_CBC_SHA
Cipher# 15: TLS_DH_anon_WITH_AES_128_CBC_SHA256
Cipher# 16: TLS_DH_anon_WITH_AES_128_CBC_SHA
Cipher# 17: SSL_RSA_WITH_DES_CBC_SHA
Cipher# 18: SSL_DHE_RSA_WITH_DES_CBC_SHA
Cipher# 19: SSL_DHE_DSS_WITH_DES_CBC_SHA
Cipher# 20: SSL_DH_anon_WITH_DES_CBC_SHA
Cipher# 21: TLS_RSA_WITH_NULL_SHA256
Cipher# 22: SSL_RSA_WITH_NULL_SHA
Cipher# 23: SSL_RSA_WITH_NULL_MD5
Cipher# 24: TLS_KRB5_WITH_DES_CBC_SHA
Cipher# 25: TLS_KRB5_WITH_DES_CBC_MD5

The first thing on my mind here is if I need to choose one of the above I definitely want to choose the most secure and without any exploit abilities. I tried adding a couple of these one at a time in WHM's Global Configuration and just adding it to the end of the default list and using that list as a custom entry. Apache gets rebuilt and restarted each time. I check to see if our billing processor works properly with https and it still fails.

I'm not very knowledgeable about ciphers, but have the general idea. I know I should stay away from anything with null, anon, and what not. Is there something else I should be looking at here as I would expect any of the above would work if that is the actual problem? Given the choice, which would be the best to add from their list so as to not bring about any security concerns?

 

[cPanelLauren]

Hi @morrow95

While I can't give you advice on which of these ciphers specifically would be best I would like to know what the error is you're getting specifically. It could prove helpful in determining how to move forward.

Thanks!

 

[morrow95]

Hi @morrow95

While I can't give you advice on which of these ciphers specifically would be best I would like to know what the error is you're getting specifically. It could prove helpful in determining how to move forward.

Thanks!

There is no error. I can't really think of any other way to explain the situation other than what I originally posted. Maybe you skimmed through the post?

 

[cPanelLauren]

Hi @morrow95


I understood what you were requesting but my assumption was that when you attempt to connect to your billing processor without a compatible cipher suite in place you would be receiving an error in the apache or PHP error logs, what billing processor company is it? Maybe I can help you find some further information on what others are using with the same company (pending I can find more information)

Thanks!

 

[morrow95]

It is the other way around, they are connecting to me. So for instance, when an order is completed I tell the system to hit www.example.com/somescript.php on my site (a callback if you want to call it that) and parameters might be posted by them along with it. I might have setup that page to add details to our database or something and/or output data they can then receive. They are not able to connect to those through https, but fine through http. The error THEY are getting is something along the lines of :

-- ERROR --
javax.net.ssl.SSLHandshakeException
Received fatal alert: handshake_failure

We've been back and forth with them for quite awhile now trying to figure out the issue. They recently came back saying they believe it is because we do not offer any ciphers they currently support. We use the current ECDHE defaults. They provided a list they support listed above. Whether this is actually the problem or not I have no idea, but I am trying to work with them on figuring this out. I know they supposedly went to tls1.2 this past year when everyone was making the push to that change.

I would rather not list who I am using so there is no bad rep going out with this, but I will say in the 20 years of using various processors the service has been fantastic with only a hiccup here and there.

 

[cPanelLauren]

HI @morrow95

After some research on that error I'm finding that this is occurring due to java needing some specific ciphers that are not present by default which would explain why it wasn't able to connect. The problem is I can't tell you which of these would be the best to use as it's outside my realm of expertise. What I did do was add the first ten to my Apache configuration and then the ssl server test at SSL Server Test (Powered by Qualys SSL Labs) and found that several of them seem to be considered weak but there are a few that seem to be neutral and none of them with DSS were tested:

TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)   WEAK
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b)   DH 2048 bits   FS
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 no result
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)   WEAK
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)   DH 2048 bits   FS
TLS_DHE_DSS_WITH_AES_256_CBC_SHA no result
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)   WEAK
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67)   DH 2048 bits   FS
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256  no result
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)   WEAK
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   DH 2048 bits   FS

You might want to run all of them through but I would only include TLS and non DSS ones, the ones with SSL aren't going to be useful.

Thanks!