IT Security Notes: SSL cipher suite choice

Cipher Negotiation
During the SSL handshake, the client and the server will negotiate which encryption algorithm they should use. The principle behind that is that clients or servers do not have to implement all of the ciphers supported by SSL. Especially since in the past, US export laws regarding cryptography were very clear: no strong cryptography could be exported out of USA without a license. This law relaxed after Phil Zimmermann invented and exported PGP.

Attacker may attempt some man-in-the-middle attack whereby they fool the client and the server to negotiate a weak cipher suite. Note also that some web browser are too old, and still locked to "export grade" ciphers. In any case the result ends up the same, the cipher negotiated during the SSL handshake may not be strong enough, and a man-in-the-middle could decrypt the traffic.

Solution
A common solution is to force your web-server (or any other SSL enabled service that can be configured in such a way) to accept only strong ciphers during the negotiation.

On apache, you can do this in the mod_ssl configuration file. The keyword that you need to modify is SSLCipherSuite.

My cipher suite line looks like this (all on one line):

SSLCipherSuite !EXPORT40:!EXPORT56:!LOW:!ADH:!NULL:!AECDH-AES256-SHA: !AECDH-AES128-SHA:!AECDH-DES-CBC3-SHA:!AECDH-RC4-SHA: !RC2-CBC-MD5:SSLv3:SSLv2:TLSv1

This translates to having the following ciphers enabled:

# openssl ciphers -v '!EXPORT40:!EXPORT56:!LOW:!ADH:!NULL:!AECDH-AES256-SHA: !AECDH-AES128-SHA:!AECDH-DES-CBC3-SHA:!AECDH-RC4-SHA: !RC2-CBC-MD5:SSLv3:SSLv2:TLSv1'

DHE-RSA-AES256-SHA   SSLv3 K=DH   A=RSA  E=AES(256)  M=SHA1
DHE-DSS-AES256-SHA   SSLv3 K=DH   A=DSS  E=AES(256)  M=SHA1
AES256-SHA           SSLv3 K=RSA  A=RSA  E=AES(256)  M=SHA1
DHE-RSA-AES128-SHA   SSLv3 K=DH   A=RSA  E=AES(128)  M=SHA1
DHE-DSS-AES128-SHA   SSLv3 K=DH   A=DSS  E=AES(128)  M=SHA1
AES128-SHA           SSLv3 K=RSA  A=RSA  E=AES(128)  M=SHA1
DHE-DSS-RC4-SHA      SSLv3 K=DH   A=DSS  E=RC4(128)  M=SHA1
KRB5-RC4-MD5         SSLv3 K=KRB5 A=KRB5 E=RC4(128)  M=MD5 
KRB5-DES-CBC3-MD5    SSLv3 K=KRB5 A=KRB5 E=3DES(168) M=MD5 
KRB5-RC4-SHA         SSLv3 K=KRB5 A=KRB5 E=RC4(128)  M=SHA1
KRB5-DES-CBC3-SHA    SSLv3 K=KRB5 A=KRB5 E=3DES(168) M=SHA1
EDH-RSA-DES-CBC3-SHA SSLv3 K=DH   A=RSA  E=3DES(168) M=SHA1
EDH-DSS-DES-CBC3-SHA SSLv3 K=DH   A=DSS  E=3DES(168) M=SHA1
DES-CBC3-SHA         SSLv3 K=RSA  A=RSA  E=3DES(168) M=SHA1
RC4-SHA              SSLv3 K=RSA  A=RSA  E=RC4(128)  M=SHA1
RC4-MD5              SSLv3 K=RSA  A=RSA  E=RC4(128)  M=MD5 
DES-CBC3-MD5         SSLv2 K=RSA  A=RSA  E=3DES(168) M=MD5 
RC4-MD5              SSLv2 K=RSA  A=RSA  E=RC4(128)  M=MD5

As explained in the mod_ssl documentation

K means Key Exchange Algorithm (RSA or Diffie-Hellman variants).
A means Authentication Algorithm (RSA, Diffie-Hellman, DSS or none).
E means Cipher/Encryption Algorithm (DES, Triple-DES, RC4, RC2, IDEA or none).
M means MAC Digest Algorithm (MD5, SHA or SHA1).

Conclusion
The exclamation mark means that we request the SSL layer to remove a particular algorithm or algorithms suite from the list of algorigthms to negotiate. Here we took care to remove all algorithm combinations that have low or no encryption. No encryption would defeat the purpose, wouldn't it? ;-)