Confirmed users
529
edits
Security/Server Side TLS: Difference between revisions
no edit summary
No edit summary |
|||
| Line 33: | Line 33: | ||
</td> | </td> | ||
</tr></table> | </tr></table> | ||
Updates to this page should be submitted to the [[https://github.com/mozilla/server-side-tls source repository on github]]. | |||
If you are looking for the configuration generator, follow this link: [[https://mozilla.github.io/server-side-tls/ssl-config-generator/ https://mozilla.github.io/server-side-tls/ssl-config-generator/]]. | |||
= Recommended configurations = | = Recommended configurations = | ||
| Line 533: | Line 537: | ||
<source lang="python"> | <source lang="python"> | ||
config := tls.Config{ | |||
MinVersion: tls.VersionTLS10, | |||
PreferServerCipherSuites: true, | |||
CipherSuites: []uint16{ | |||
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, | |||
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, | |||
tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, | |||
tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, | |||
tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, | |||
tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, | |||
tls.TLS_RSA_WITH_AES_128_CBC_SHA, | |||
tls.TLS_RSA_WITH_AES_256_CBC_SHA, | |||
tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, | |||
tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA}, | |||
} | |||
</source> | </source> | ||
| Line 2,801: | Line 2,805: | ||
$ gnutls-cli -l --priority NONE:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+ECDHE-RSA:+DHE-RSA:+RSA:+AES-128-GCM:+AES-128-CBC:+AES-256-CBC:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512:+SIGN-RSA-SHA224:+SIGN-RSA-SHA1:+SIGN-DSA-SHA256:+SIGN-DSA-SHA224:+SIGN-DSA-SHA1:+CURVE-ALL:+AEAD:+SHA256:+SHA384:+SHA1:+COMP-NULLCipher suites for NONE:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+ECDHE-RSA:+DHE-RSA:+RSA:+AES-128-GCM:+AES-128-CBC:+AES-256-CBC:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512:+SIGN-RSA-SHA224:+SIGN-RSA-SHA1:+SIGN-DSA-SHA256:+SIGN-DSA-SHA224:+SIGN-DSA-SHA1:+CURVE-ALL:+AEAD:+SHA256:+SHA384:+SHA1:+COMP-NULL | $ gnutls-cli -l --priority NONE:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+ECDHE-RSA:+DHE-RSA:+RSA:+AES-128-GCM:+AES-128-CBC:+AES-256-CBC:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512:+SIGN-RSA-SHA224:+SIGN-RSA-SHA1:+SIGN-DSA-SHA256:+SIGN-DSA-SHA224:+SIGN-DSA-SHA1:+CURVE-ALL:+AEAD:+SHA256:+SHA384:+SHA1:+COMP-NULLCipher suites for NONE:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+ECDHE-RSA:+DHE-RSA:+RSA:+AES-128-GCM:+AES-128-CBC:+AES-256-CBC:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512:+SIGN-RSA-SHA224:+SIGN-RSA-SHA1:+SIGN-DSA-SHA256:+SIGN-DSA-SHA224:+SIGN-DSA-SHA1:+CURVE-ALL:+AEAD:+SHA256:+SHA384:+SHA1:+COMP-NULL | ||
TLS_ECDHE_RSA_AES_128_GCM_SHA256 | TLS_ECDHE_RSA_AES_128_GCM_SHA256 0xc0, 0x2f TLS1.2 | ||
TLS_ECDHE_RSA_AES_128_CBC_SHA256 | TLS_ECDHE_RSA_AES_128_CBC_SHA256 0xc0, 0x27 TLS1.0 | ||
TLS_ECDHE_RSA_AES_128_CBC_SHA1 | TLS_ECDHE_RSA_AES_128_CBC_SHA1 0xc0, 0x13 SSL3.0 | ||
TLS_ECDHE_RSA_AES_256_CBC_SHA1 | TLS_ECDHE_RSA_AES_256_CBC_SHA1 0xc0, 0x14 SSL3.0 | ||
TLS_DHE_RSA_AES_128_GCM_SHA256 | TLS_DHE_RSA_AES_128_GCM_SHA256 0x00, 0x9e TLS1.2 | ||
TLS_DHE_RSA_AES_128_CBC_SHA256 | TLS_DHE_RSA_AES_128_CBC_SHA256 0x00, 0x67 TLS1.0 | ||
TLS_DHE_RSA_AES_128_CBC_SHA1 | TLS_DHE_RSA_AES_128_CBC_SHA1 0x00, 0x33 SSL3.0 | ||
TLS_DHE_RSA_AES_256_CBC_SHA256 | TLS_DHE_RSA_AES_256_CBC_SHA256 0x00, 0x6b TLS1.0 | ||
TLS_DHE_RSA_AES_256_CBC_SHA1 | TLS_DHE_RSA_AES_256_CBC_SHA1 0x00, 0x39 SSL3.0 | ||
TLS_RSA_AES_128_GCM_SHA256 | TLS_RSA_AES_128_GCM_SHA256 0x00, 0x9c TLS1.2 | ||
TLS_RSA_AES_128_CBC_SHA256 | TLS_RSA_AES_128_CBC_SHA256 0x00, 0x3c TLS1.0 | ||
TLS_RSA_AES_128_CBC_SHA1 | TLS_RSA_AES_128_CBC_SHA1 0x00, 0x2f SSL3.0 | ||
TLS_RSA_AES_256_CBC_SHA256 | TLS_RSA_AES_256_CBC_SHA256 0x00, 0x3d TLS1.0 | ||
TLS_RSA_AES_256_CBC_SHA1 | TLS_RSA_AES_256_CBC_SHA1 0x00, 0x35 SSL3.0 | ||
Certificate types: none | Certificate types: none | ||