Security/Server Side TLS: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
(Fix a few typos)
(Update to commit 7a81eec5519983e1408cafe4936b4f85ae6a0997)
 
(174 intermediate revisions by 17 users not shown)
Line 1: Line 1:
The goal of this document is to help operational teams with the configuration of TLS on servers. All Mozilla sites and deployment should follow the recommendations below.
<table>
  <tr>
    <td style="min-width: 25em;">__TOC__</td>
    <td style="vertical-align: top; max-width: 60em; padding-left: .75rem;">The goal of this document is to help operational teams with the configuration of TLS. All Mozilla websites and deployments should follow the recommendations below.


The Operations Security (OpSec) team maintains this document as a reference guide to navigate the TLS landscape. It contains information on TLS protocols, known issues and vulnerabilities, configuration examples and testing tools. Changes are reviewed and merged by the OpSec team, and broadcasted to the various Operational teams.
Mozilla maintains this document as a reference guide for navigating the TLS landscape, as well as a [https://ssl-config.mozilla.org configuration generator] to assist system administrators. Changes are reviewed and merged by the Mozilla Operations Security and Enterprise Information Security teams.


<table><tr>
Updates to this page should be submitted to the [https://github.com/mozilla/server-side-tls server-side-tls] repository on GitHub. Issues related to the [https://ssl-config.mozilla.org configuration generator] are maintained in their own [https://github.com/mozilla/ssl-config-generator GitHub repository].
<td><div style="float:left;" class="toclimit-3">__TOC__</div></td>
<td valign="top">
{| class="wikitable"
|-
! Document Status !! Major Versions
|-  
|  <span style="color:green;">'''READY'''</span> ||
* Version 2: Public release. r=ulfr r=kang
* Version 1.5: Julien Vehent (ulfr) added details for PFS DHE handshake, added nginx configuration details; Guillaume Destuynder (kang): added Apache recommended conf
* Version 1.4: ulfr: revised ciphersuite. Prefer AES before RC4. Prefer 128 before 256. Prefer DHE before non-DHE.
* Version 1.3: ulfr: added netscaler example conf
* Version 1.2: ulfr: ciphersuite update: bump DHE-AESGCM above ECDH-RC4
* Version 1.1: ulfr: integrated review comments from Infra; kang: SPDY information
* Version 1: ulfr: creation
|}
</td>
</tr></table>


= Recommended Ciphersuite =
In the interests of usability and maintainability, these guidelines have been considerably simplified from the [[Security/Archive/Server Side TLS 4.0|previous guidelines]].
    </td>
  </tr>
</table>


The general purpose ciphersuite at the time of this writing is:
= Recommended configurations =
<span style="float: right; max-width: 600px; text-align: center;">
[[Image:Ssl-config.mozilla.org.png|600px|link=https://ssl-config.mozilla.org/|Mozilla SSL Configuration Generator]]<br>
The [https://ssl-config.mozilla.org/ Mozilla SSL Configuration Generator]
</span>
Mozilla maintains three recommended configurations for servers using TLS. Pick the correct configuration depending on your audience:


'''ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK'''
* <span style="color: green; font-weight: bold;">Modern</span>''':''' Modern clients that support TLS 1.3, with no need for backwards compatibility
* <span style="color: orange; font-weight: bold;">Intermediate</span>''':''' Recommended configuration for a general-purpose server
* <span style="color: gray; font-weight: bold;">Old</span>''':''' Services accessed by very old clients or libraries, such as Internet Explorer 8 (Windows XP), Java 6, or OpenSSL 0.9.8


If your version of OpenSSL is old, unavailable ciphers will be discarded automatically. Always use the full ciphersuite above and let OpenSSL pick the ones it supports.
{| class="wikitable" style="margin: 1.5rem 1rem;"
 
|-
The ordering of a ciphersuite is very important because it decides which algorithms are going to be selected in priority. The recommendation above prioritizes algorithms that provide perfect forward secrecy.
! Configuration
 
! Firefox
The listing below shows the list of algorithms returned by this ciphersuite. If you have to pick them manually for your application, make sure you keep this ordering.
! Android
 
! Chrome
Older versions of OpenSSL may not return the full list of algorithms. AES-GCM and some ECDHE are fairly recent, and not present on most versions of OpenSSL shipped with Ubuntu or RHEL. This listing below was obtained from a freshly built OpenSSL.
! Edge
 
! Internet Explorer
<source lang="bash">
! Java
$ openssl version
! OpenSSL
OpenSSL 1.1.0-dev xx XXX xxxx
! Opera
! Safari
$ openssl ciphers -v 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:
|-
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:
| style="color: green;" | '''Modern'''
ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:
| style="text-align: center;" | 63
ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:
| style="text-align: center;" | 10.0
ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:
| style="text-align: center;" | 70
DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:
| style="text-align: center;" | 75
AES128-GCM-SHA256:AES256-GCM-SHA384:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:
| style="text-align: center;" | --
!MD5:!PSK' |column -t
| style="text-align: center;" | 11
| style="text-align: center;" | 1.1.1
ECDHE-RSA-AES128-GCM-SHA256    TLSv1.2  Kx=ECDH        Au=RSA    Enc=AESGCM(128)    Mac=AEAD
| style="text-align: center;" | 57
ECDHE-ECDSA-AES128-GCM-SHA256  TLSv1.2  Kx=ECDH        Au=ECDSA  Enc=AESGCM(128)    Mac=AEAD
| style="text-align: center;" | 12.1
ECDHE-RSA-AES256-GCM-SHA384    TLSv1.2  Kx=ECDH        Au=RSA    Enc=AESGCM(256)    Mac=AEAD
|-
ECDHE-ECDSA-AES256-GCM-SHA384  TLSv1.2  Kx=ECDH        Au=ECDSA  Enc=AESGCM(256)    Mac=AEAD
| style="color:orange;" | '''Intermediate'''
DHE-DSS-AES256-GCM-SHA384      TLSv1.2  Kx=DH          Au=DSS    Enc=AESGCM(256)    Mac=AEAD
| style="text-align: center;" | 27
DHE-RSA-AES256-GCM-SHA384      TLSv1.2  Kx=DH          Au=RSA    Enc=AESGCM(256)    Mac=AEAD
| style="text-align: center;" | 4.4.2
DHE-DSS-AES128-GCM-SHA256      TLSv1.2  Kx=DH          Au=DSS    Enc=AESGCM(128)    Mac=AEAD
| style="text-align: center;" | 31
DHE-RSA-AES128-GCM-SHA256      TLSv1.2  Kx=DH          Au=RSA    Enc=AESGCM(128)    Mac=AEAD
| style="text-align: center;" | 12
ECDHE-RSA-AES128-SHA256        TLSv1.2  Kx=ECDH        Au=RSA    Enc=AES(128)      Mac=SHA256
| style="text-align: center;" | 11 (Win7)
ECDHE-ECDSA-AES128-SHA256      TLSv1.2  Kx=ECDH        Au=ECDSA  Enc=AES(128)      Mac=SHA256
| style="text-align: center;" | 8u31
ECDHE-RSA-AES128-SHA          SSLv3    Kx=ECDH        Au=RSA    Enc=AES(128)      Mac=SHA1
| style="text-align: center;" | 1.0.1
ECDHE-ECDSA-AES128-SHA        SSLv3    Kx=ECDH        Au=ECDSA  Enc=AES(128)      Mac=SHA1
| style="text-align: center;" | 20
ECDHE-RSA-AES256-SHA384        TLSv1.2  Kx=ECDH        Au=RSA    Enc=AES(256)      Mac=SHA384
| style="text-align: center;" | 9
ECDHE-ECDSA-AES256-SHA384      TLSv1.2  Kx=ECDH        Au=ECDSA  Enc=AES(256)      Mac=SHA384
|-
ECDHE-RSA-AES256-SHA          SSLv3    Kx=ECDH        Au=RSA    Enc=AES(256)      Mac=SHA1
| style="color:gray;" | '''Old'''
ECDHE-ECDSA-AES256-SHA        SSLv3    Kx=ECDH        Au=ECDSA  Enc=AES(256)      Mac=SHA1
| style="text-align: center;" | 1
DHE-RSA-AES128-SHA256          TLSv1.2  Kx=DH          Au=RSA    Enc=AES(128)      Mac=SHA256
| style="text-align: center;" | 2.3
DHE-RSA-AES128-SHA            SSLv3    Kx=DH          Au=RSA    Enc=AES(128)      Mac=SHA1
| style="text-align: center;" | 1
DHE-RSA-AES256-SHA256          TLSv1.2  Kx=DH          Au=RSA    Enc=AES(256)      Mac=SHA256
| style="text-align: center;" | 12
DHE-DSS-AES256-SHA            SSLv3    Kx=DH          Au=DSS    Enc=AES(256)      Mac=SHA1
| style="text-align: center;" | 8 (WinXP)
ECDHE-RSA-RC4-SHA              SSLv3    Kx=ECDH        Au=RSA    Enc=RC4(128)      Mac=SHA1
| style="text-align: center;" | 6
ECDHE-ECDSA-RC4-SHA            SSLv3    Kx=ECDH        Au=ECDSA  Enc=RC4(128)      Mac=SHA1
| style="text-align: center;" | 0.9.8
AES128-GCM-SHA256              TLSv1.2  Kx=RSA        Au=RSA    Enc=AESGCM(128)    Mac=AEAD
| style="text-align: center;" | 5
AES256-GCM-SHA384              TLSv1.2  Kx=RSA        Au=RSA    Enc=AESGCM(256)    Mac=AEAD
| style="text-align: center;" | 1
RC4-SHA                        SSLv3    Kx=RSA        Au=RSA    Enc=RC4(128)      Mac=SHA1
|}
SRP-DSS-AES-256-CBC-SHA        SSLv3    Kx=SRP        Au=DSS    Enc=AES(256)      Mac=SHA1
SRP-RSA-AES-256-CBC-SHA        SSLv3    Kx=SRP        Au=RSA    Enc=AES(256)      Mac=SHA1
DH-DSS-AES256-GCM-SHA384      TLSv1.2  Kx=DH/DSS      Au=DH    Enc=AESGCM(256)    Mac=AEAD
DH-RSA-AES256-GCM-SHA384      TLSv1.2  Kx=DH/RSA      Au=DH    Enc=AESGCM(256)    Mac=AEAD
DHE-DSS-AES256-SHA256          TLSv1.2 Kx=DH          Au=DSS    Enc=AES(256)      Mac=SHA256
DH-RSA-AES256-SHA256          TLSv1.2  Kx=DH/RSA      Au=DH    Enc=AES(256)      Mac=SHA256
DH-DSS-AES256-SHA256          TLSv1.2  Kx=DH/DSS      Au=DH    Enc=AES(256)      Mac=SHA256
DHE-RSA-AES256-SHA            SSLv3    Kx=DH          Au=RSA    Enc=AES(256)      Mac=SHA1
DH-RSA-AES256-SHA              SSLv3    Kx=DH/RSA      Au=DH    Enc=AES(256)      Mac=SHA1
DH-DSS-AES256-SHA              SSLv3    Kx=DH/DSS      Au=DH    Enc=AES(256)      Mac=SHA1
DHE-RSA-CAMELLIA256-SHA        SSLv3    Kx=DH          Au=RSA    Enc=Camellia(256) Mac=SHA1
DHE-DSS-CAMELLIA256-SHA        SSLv3    Kx=DH          Au=DSS    Enc=Camellia(256)  Mac=SHA1
DH-RSA-CAMELLIA256-SHA        SSLv3    Kx=DH/RSA      Au=DH    Enc=Camellia(256)  Mac=SHA1
DH-DSS-CAMELLIA256-SHA        SSLv3    Kx=DH/DSS      Au=DH    Enc=Camellia(256)  Mac=SHA1
ECDH-RSA-AES256-GCM-SHA384    TLSv1.2  Kx=ECDH/RSA    Au=ECDH  Enc=AESGCM(256)    Mac=AEAD
ECDH-ECDSA-AES256-GCM-SHA384  TLSv1.2  Kx=ECDH/ECDSA  Au=ECDH  Enc=AESGCM(256)    Mac=AEAD
ECDH-RSA-AES256-SHA384        TLSv1.2  Kx=ECDH/RSA    Au=ECDH  Enc=AES(256)      Mac=SHA384
ECDH-ECDSA-AES256-SHA384      TLSv1.2  Kx=ECDH/ECDSA  Au=ECDH  Enc=AES(256)      Mac=SHA384
ECDH-RSA-AES256-SHA            SSLv3    Kx=ECDH/RSA    Au=ECDH  Enc=AES(256)      Mac=SHA1
ECDH-ECDSA-AES256-SHA          SSLv3    Kx=ECDH/ECDSA  Au=ECDH  Enc=AES(256)      Mac=SHA1
AES256-SHA256                  TLSv1.2  Kx=RSA        Au=RSA    Enc=AES(256)      Mac=SHA256
AES256-SHA                    SSLv3    Kx=RSA        Au=RSA    Enc=AES(256)      Mac=SHA1
CAMELLIA256-SHA                SSLv3    Kx=RSA        Au=RSA    Enc=Camellia(256)  Mac=SHA1
SRP-DSS-AES-128-CBC-SHA        SSLv3    Kx=SRP        Au=DSS    Enc=AES(128)      Mac=SHA1
SRP-RSA-AES-128-CBC-SHA        SSLv3    Kx=SRP        Au=RSA    Enc=AES(128)      Mac=SHA1
DH-DSS-AES128-GCM-SHA256      TLSv1.2 Kx=DH/DSS      Au=DH    Enc=AESGCM(128)    Mac=AEAD
DH-RSA-AES128-GCM-SHA256      TLSv1.2  Kx=DH/RSA      Au=DH    Enc=AESGCM(128)    Mac=AEAD
DHE-DSS-AES128-SHA256          TLSv1.2  Kx=DH          Au=DSS    Enc=AES(128)      Mac=SHA256
DH-RSA-AES128-SHA256          TLSv1.2  Kx=DH/RSA      Au=DH    Enc=AES(128)      Mac=SHA256
DH-DSS-AES128-SHA256          TLSv1.2  Kx=DH/DSS      Au=DH    Enc=AES(128)      Mac=SHA256
DHE-DSS-AES128-SHA            SSLv3    Kx=DH          Au=DSS    Enc=AES(128)      Mac=SHA1
DH-RSA-AES128-SHA              SSLv3    Kx=DH/RSA      Au=DH    Enc=AES(128)      Mac=SHA1
DH-DSS-AES128-SHA              SSLv3    Kx=DH/DSS      Au=DH    Enc=AES(128)       Mac=SHA1
DHE-RSA-CAMELLIA128-SHA        SSLv3    Kx=DH          Au=RSA    Enc=Camellia(128)  Mac=SHA1
DHE-DSS-CAMELLIA128-SHA        SSLv3    Kx=DH          Au=DSS    Enc=Camellia(128)  Mac=SHA1
DH-RSA-CAMELLIA128-SHA        SSLv3    Kx=DH/RSA      Au=DH    Enc=Camellia(128)  Mac=SHA1
DH-DSS-CAMELLIA128-SHA        SSLv3    Kx=DH/DSS      Au=DH    Enc=Camellia(128)  Mac=SHA1
ECDH-RSA-AES128-GCM-SHA256    TLSv1.2  Kx=ECDH/RSA    Au=ECDH  Enc=AESGCM(128)    Mac=AEAD
ECDH-ECDSA-AES128-GCM-SHA256  TLSv1.2  Kx=ECDH/ECDSA  Au=ECDH  Enc=AESGCM(128)    Mac=AEAD
ECDH-RSA-AES128-SHA256        TLSv1.2  Kx=ECDH/RSA    Au=ECDH  Enc=AES(128)      Mac=SHA256
ECDH-ECDSA-AES128-SHA256      TLSv1.2  Kx=ECDH/ECDSA  Au=ECDH  Enc=AES(128)      Mac=SHA256
ECDH-RSA-AES128-SHA            SSLv3    Kx=ECDH/RSA    Au=ECDH  Enc=AES(128)      Mac=SHA1
ECDH-ECDSA-AES128-SHA          SSLv3    Kx=ECDH/ECDSA  Au=ECDH  Enc=AES(128)      Mac=SHA1
AES128-SHA256                  TLSv1.2  Kx=RSA        Au=RSA    Enc=AES(128)      Mac=SHA256
AES128-SHA                    SSLv3    Kx=RSA        Au=RSA    Enc=AES(128)      Mac=SHA1
CAMELLIA128-SHA                SSLv3    Kx=RSA        Au=RSA    Enc=Camellia(128)  Mac=SHA1
</source>
 
The ciphers are described here: http://www.openssl.org/docs/apps/ciphers.html
 
= Prioritization logic =
 
# ECDHE+AESGCM ciphers are selected first. These are TLS 1.2 ciphers and not widely supported at the moment. No known attack currently target these ciphers.
# [[#Forward_Secrecy|PFS]] ciphersuites are preferred, with ECDHE first, then DHE.
# AES 128 is preferred to AES 256. There has been [[http://www.mail-archive.com/dev-tech-crypto@lists.mozilla.org/msg11247.html discussions]] on whether AES256 extra security was worth the cost, and the result is far from obvious. At the moment, AES128 is preferred, because it provides good security, is really fast, and seems to be more resistant to timing attacks.
# AES is preferred to RC4. [[#Attacks_on_TLS|BEAST]] attacks on AES are mitigated in TLS 1.1 and above, and difficult to achieve in TLS 1.0. In comparison, attacks on RC4 are not mitigated and likely to become more and more dangerous.
 
= Mandatory discards =
 
* aNULL contains non-authenticated Diffie-Hellman key exchanges, that are subject to Man-In-The-Middle (MITM) attacks
* eNULL contains null-encryption ciphers (cleartext)
* EXPORT are legacy weak ciphers that were marked as exportable by US law
* DES and 3DES contains all legacy ciphers that used the deprecated Data Encryption Standard
* SSLv2 contains all ciphers that were defined in the old version of the SSL standard, now deprecated
* MD5 contains all the ciphers that use the broken message digest 5 as the hashing algorithm


= Forward Secrecy =
<p style="max-width: 60em;">The ordering of cipher suites in the <span style="color: gray; font-weight: bold;">Old</span> configuration is very important, as it determines the priority with which algorithms are selected.</p>


The concept of forward secrecy is simple: client and server negotiate a key that never hits the wire, and is destroyed at the end of the session. The RSA private from the server is used to sign a Diffie-Hellman key exchange between the client and the server. The pre-master key obtained from the Diffie-Hellman handshake is then used for encryption. Since the pre-master key is specific to a connection between a client and a server, and used only for a limited amount of time, it is called Ephemeral.
<p style="max-width: 60em;">OpenSSL will ignore cipher suites it doesn't understand, so always use the full set of cipher suites below, in their recommended order. The use of the <span style="color: gray; font-weight: bold;">Old</span> configuration with modern versions of OpenSSL may require custom builds with support for deprecated ciphers.</p>
<br style="clear: right;">


With Forward Secrecy, if an attacker gets a hold of the server's private key, it will not be able to decrypt past communications. The private key was only used to sign the DH handshake, which does not reveal the pre-master key. Diffie-Hellman ensures that the pre-master keys never leave the client and the server, and cannot be intercepted by a MITM.
== <span style="color:green;">'''Modern'''</span> compatibility ==
For services with clients that support TLS 1.3 and don't need backward compatibility, the <span style="color: green; font-weight: bold;">Modern</span> configuration provides an extremely high level of security.


Diffie-Hellman is slow. Faster implementation, such as Elliptic Curve Diffie-Hellman (ECDH) are promising but not widely supported. Therefore, forward secrecy is still considered the privilege of a few.
* Cipher suites (TLS 1.3): '''TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256'''
* Cipher suites (TLS 1.2): (none)
* Protocols: '''TLS 1.3'''
* Certificate type: '''ECDSA (P-256)'''
* TLS curves: '''X25519, prime256v1, secp384r1'''
* HSTS: '''max-age=63072000''' (two years)
* Certificate lifespan: '''90 days'''
* Cipher preference: '''client chooses'''


== DHE hanshake and dhparam ==
<!-- This tabular openssl list can be produced by running "openssl ciphers -V" -->
 
<source>
When an ephemeral Diffie-Hellman cipher is used, the server and the client negotiate a pre-master key using the Diffie-Hellman algorithm. This algorithm requires that the server sends the client a prime number and a generator. Neither are confidential, and are sent in clear text. However, they must be signed, such that a MITM cannot hijack the handshake.
0x13,0x01  - TLS_AES_128_GCM_SHA256        TLSv1.3 Kx=any  Au=any  Enc=AESGCM(128)             Mac=AEAD
 
0x13,0x02  - TLS_AES_256_GCM_SHA384        TLSv1.3  Kx=any  Au=any  Enc=AESGCM(256)            Mac=AEAD
As an example, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 works as follow:
0x13,0x03  - TLS_CHACHA20_POLY1305_SHA256  TLSv1.3  Kx=any  Au=any  Enc=CHACHA20/POLY1305(256)  Mac=AEAD
 
# Server sends Client a [[http://tools.ietf.org/html/rfc5246#section-7.4.3 SERVER KEY EXCHANGE]] message during the SSL Handshake. The message contains:
## Prime number ''p''
## Generator ''g''
## Server's Diffie-Hellman public value ''A = g^X mod p'', where ''X'' is a private integer chosen by the server at random, and never shared with the client.
## signature ''S'' of the above (plus two random values) computed using the Server's private RSA key
# Client verifies the signature ''S''
# Client sends server a [[http://tools.ietf.org/html/rfc5246#section-7.4.7 CLIENT KEY EXCHANGE]] message. The message contains:
## Client's Diffie-Hellman public value ''B = g^Y mod p'', where ''Y'' is a private integer chosen at random and never shared.
# The Server and the Client can now calculate the pre-master secret using each other's public values:
## server calculates ''PMS = B^X mod p''
## client calculates ''PMS = A^Y mod p''
# Client sends a [[http://tools.ietf.org/html/rfc5246#section-7.1 CHANGE CIPHER SPEC]] message to the server, and both parties continue the handshake using ENCRYPTED HANDSHAKE MESSAGES
 
The size of the prime number ''p'' constrains the size of the pre-master key ''PMS'', because of the modulo operation. A smaller prime almost means weaker values of ''A'' and ''B'', which could leak the secret values ''X'' and ''Y''. Thus, the prime ''p'' should not be smaller than the size of the RSA private key.
<source lang="bash">
$ openssl dhparam 2048
Generating DH parameters, 2048 bit long safe prime, generator 2
..+..+...............+
-----BEGIN DH PARAMETERS-----
MBYCEQCHU6UNZoHMF6bPtj21Hn/bAgEC.....
......
-----END DH PARAMETERS-----
</source>
</source>


= OCSP Stapling =
* Rationale:
When connecting to a server, clients should verify the validity of the server certificate using either a Certificate Revocation List (CRL), or an Online Certificate Status Protocol (OCSP) record. The problem with CRL is that the lists have grown huge and take forever to download. OCSP is much more lightweight, as only one record is retrieved at a time. But the side effect is that OCSP requests must be made to a 3rd party OCSP responder when connecting to a server, which adds latency and potential failures.
** All cipher suites are [https://en.wikipedia.org/wiki/Forward_secrecy forward secret] and [https://en.wikipedia.org/wiki/Authenticated_encryption authenticated]
 
** The cipher suites are all strong and so we allow the client to choose, as they will know best if they have support for hardware-accelerated AES
The solution is to allow the server to send the OCSP record during the TLS handshake, therefore bypassing the OCSP responder. This mechanism saves a roundtrip between the client and the OCSP responder, and is called OCSP Stapling.
** We recommend ECDSA certificates using P-256, as P-384 provides negligible improvements to security and Ed25519 is not yet widely supported
 
The location of the OCSP responder is taken from the Authority Information Access field of the signed certificate:
<pre>
Authority Information Access:
      OCSP - URI:http://ocsp.startssl.com/sub/class1/server/ca
</pre>
 
= Recommended Server Configurations =
 
== Nginx ==
 
Nginx provides the best TLS support at the moment. It is the only daemon that provides OCSP Stapling, custom DH parameters, and the full flavor of TLS versions (from OpenSSL).
 
The detail of each configuration parameter, and how to build a recent Nginx with OpenSSL, is [[#Nginx_configuration_details|at the end of this document]].
 
<pre>
server {
    listen 443;
    ssl on;
    # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
    ssl_certificate /path/to/signed_cert_plus_intermediates;
    ssl_certificate_key /path/to/private_key;
    # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
    ssl_dhparam /path/to/dhparam.pem;
    ssl_session_timeout 5m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers '<recommended ciphersuite from top of this page>';
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:50m;
    # Enable this if your want HSTS (recommended, but be careful)
    # add_header Strict-Transport-Security max-age=15768000;
    # OCSP Stapling ---
    # fetch OCSP records from URL in ssl_certificate and cache them
    ssl_stapling on;
    ssl_stapling_verify on;
    ## verify chain of trust of OCSP response using Root CA and Intermediate certs
    ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
    resolver <IP DNS resolver>;
    ....
}
</pre>
 
== Apache ==
 
In Apache 2.4.6, the DH parameter is always set to 1024 bits and is not user configurable. Future versions of Apache will automatically select a better value for the DH parameter.
The configuration below is recommended.
<pre>
<VirtualHost *:443>
    ...
    SSLEngine on
    SSLCertificateFile      /path/to/signed_certificate
    SSLCertificateChainFile /path/to/intermediate_certificate
    SSLCertificateKeyFile  /path/to/private/key
    SSLCACertificateFile    /path/to/all_ca_certs
    SSLProtocol            all -SSLv2 -SSLv3
    SSLCipherSuite          <recommended ciphersuite from top of this page>
    SSLHonorCipherOrder    on
    SSLCompression          off
    SSLUseStapling          on
    SSLStaplingResponderTimeout 5
    SSLStaplingReturnResponderErrors off
    SSLStaplingCache        shmcb:/var/run/ocsp(128000)
    # Enable this if your want HSTS (recommended, but be careful)
    # Header add Strict-Transport-Security "max-age=15768000"
    ...
</VirtualHost>
</pre>
 
== Haproxy ==
 
SSL support in Haproxy is still Beta and shouldn't be used to terminate production SSL traffic.
Haproxy lacks support for OCSP Stapling. All other features are available, including custom dhparams.
 
<pre>
frontend ft_test
  mode    http
  bind    0.0.0.0:443 ssl crt /path/to/<cert+privkey+intermediate+dhparam> ciphers <recommended_ciphersuite>
  # Enable this if your want HSTS (recommended, but be careful)
  # rspadd  Strict-Transport-Security:\ max-age=15768000
</pre>
 
== Stud ==


Stud is a lightweight SSL termination proxy. It's basically a wrapper for OpenSSL. Stud is not being heavily developed, and features such as OCSP stapling are missing. But it is very lightweight and efficient, and with a recent openssl, supports all the TLS 1.2 ciphers.
== <span style="color:orange;">'''Intermediate'''</span> compatibility (recommended) ==
<pre>
<p style="max-width: 60em;">For services that don't need compatibility with legacy clients such as Windows XP or old versions of OpenSSL. This is the recommended configuration for the vast majority of services, as it is highly secure and compatible with nearly every client released in the last five (or more) years.</p>
# SSL x509 certificate file. REQUIRED.
# List multiple certs to use SNI. Certs are used in the order they
# are listed; the last cert listed will be used if none of the others match
#
# type: string
pem-file = "<concatenate cert + privkey + dhparam>"
# SSL protocol.
#
tls = on
ssl = on
# List of allowed SSL ciphers.
#
# Run openssl ciphers for list of available ciphers.
# type: string
ciphers = "<recommended ciphersuite from top of this page>"
# Enforce server cipher list order
#
# type: boolean
prefer-server-ciphers = on
</pre>


== Amazon Web Services Elastic Load Balancer (AWS ELB) ==
* Cipher suites (TLS 1.3): '''TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256'''
* Cipher suites (TLS 1.2): '''ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305'''
* Protocols: '''TLS 1.2, TLS 1.3'''
* TLS curves: '''X25519, prime256v1, secp384r1'''
* Certificate type: '''ECDSA (P-256)''' (recommended), or '''RSA (2048 bits)'''
* DH parameter size: '''2048''' (ffdhe2048, [https://tools.ietf.org/html/rfc7919#appendix-A.1 RFC 7919])
* HSTS: '''max-age=63072000''' (two years)
* Certificate lifespan: '''90 days''' (recommended) to '''366 days'''
* Cipher preference: '''client chooses'''


ELBs support TLS 1.2, but lack support for ciphers ordering, custom DH parameters and OCSP Stapling.
<!-- This tabular openssl list can be produced by running "openssl ciphers -V" -->
The default configuration of ELBs doesn't enable the correct ciphers or versions of TLS. This can be done by hand in the Web Console, but is tedious. Gene Wood, from Identity Ops, wrote a script that configures the proper TLS policy on ELB: https://github.com/mozilla/identity-ops/blob/master/aws-tools/apply_security_assurance_elb_ciphersuite_policy.py
<source>
 
0x13,0x01  -  TLS_AES_128_GCM_SHA256        TLSv1.3  Kx=any  Au=any   Enc=AESGCM(128)            Mac=AEAD
Because of the lack of server side ordering, it is preferable to terminate TLS connection on something than ELBs. ELBs can be used at layer 4 to load balance TCP connections, and terminate SSL on Nginx, Apache or any suitable TLS stack.
0x13,0x02  - TLS_AES_256_GCM_SHA384        TLSv1.3  Kx=any  Au=any    Enc=AESGCM(256)             Mac=AEAD
When using ELBs as L4 load balancer, the following limitations apply:
0x13,0x03  -  TLS_CHACHA20_POLY1305_SHA256  TLSv1.3  Kx=any  Au=any    Enc=CHACHA20/POLY1305(256)  Mac=AEAD
* Client IP will be hidden to the backend servers. The application behind the ELB will only see the IP of the ELB. Headers such as X-Forwarded-For cannot be used to store the client IP, because the ELB does not decrypt the SSL.
0xC0,0x2B  - ECDHE-ECDSA-AES128-GCM-SHA256  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AESGCM(128)            Mac=AEAD
* Only layer 4 type heartbeats can be used (connection establishment on target port).
0xC0,0x2F  -  ECDHE-RSA-AES128-GCM-SHA256    TLSv1.2  Kx=ECDH  Au=RSA    Enc=AESGCM(128)             Mac=AEAD
* Session stickiness will only be possible by source IP: one source IP will always reach the same application server. Session stickiness via cookie cannot be used, because the ELB does not decrypt the SSL.
0xC0,0x2C  -  ECDHE-ECDSA-AES256-GCM-SHA384  TLSv1.2 Kx=ECDH  Au=ECDSA  Enc=AESGCM(256)            Mac=AEAD
ELBs support HAproxy's proxy protocol, that removes the need for X-Forwarded-For and operates with a header placed right before the TCP packet. While still in beta, a solution composed of L4 ELBs that send TCP traffic to HAproxy for SSL termination would solve the limitations above.
0xC0,0x30  -  ECDHE-RSA-AES256-GCM-SHA384    TLSv1.2  Kx=ECDH  Au=RSA    Enc=AESGCM(256)            Mac=AEAD
 
0xCC,0xA9  -  ECDHE-ECDSA-CHACHA20-POLY1305  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=CHACHA20/POLY1305(256)  Mac=AEAD
== Zeus (Riverbed Stingray) ==
0xCC,0xA8  -  ECDHE-RSA-CHACHA20-POLY1305    TLSv1.2  Kx=ECDH  Au=RSA    Enc=CHACHA20/POLY1305(256)  Mac=AEAD
Zeus lacks support for TLS 1.2, Elliptic Curves, AES-GCM and OCSP Stapling.
0x00,0x9E  -  DHE-RSA-AES128-GCM-SHA256      TLSv1.2  Kx=DH    Au=RSA    Enc=AESGCM(128)            Mac=AEAD
 
0x00,0x9F  - DHE-RSA-AES256-GCM-SHA384      TLSv1.2  Kx=DH   Au=RSA   Enc=AESGCM(256)            Mac=AEAD
The recommended prioritization is:
0xCC,0xAA  -  DHE-RSA-CHACHA20-POLY1305      TLSv1.2  Kx=DH    Au=RSA    Enc=CHACHA20/POLY1305(256)  Mac=AEAD
# DHE-RSA-AES128-SHA
# DHE-RSA-AES256-SHA
# AES128-SHA
# AES256-SHA
# RC4-SHA
# DES-CBC3-SHA
# EDH-RSA-DES-CBC3-SHA
 
While the recommended DH prime size is 2048, problems with client libraries, such as Java 6, make this impossible to deploy for now. Therefore, a DH prime of 1024 bits should be used until all clients are compatible with larger primes.
 
Zeus uses RSA BSAFE crypto library.
<source lang="bash">
# ./zeus.zxtm -vv | grep ^Crypto
Crypto library          : RSA CryptoC6.4
</source>
</source>
The following ciphersuites are supported by Zeus.
<pre>
ssl!ssl3_ciphers
    This is a list (space, comma or colon separated) of SSL ciphers that will be used with performing SSL decryption or SSL encryption. The order of the supplied list determines the priority of the ciphers for SSL decryption.
    The default order is:
        SSL_RSA_WITH_RC4_128_SHA
        SSL_RSA_WITH_RC4_128_MD5
        SSL_RSA_WITH_AES_256_CBC_SHA
        SSL_DHE_RSA_WITH_AES_256_CBC_SHA
        SSL_RSA_WITH_3DES_EDE_CBC_SHA
        SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
        SSL_RSA_WITH_AES_128_CBC_SHA
        SSL_DHE_RSA_WITH_AES_128_CBC_SHA
    In addition, the following ciphers are supported but disabled by default:
        SSL_RSA_EXPORT_WITH_RC4_56_SHA
        SSL_RSA_EXPORT_WITH_RC4_56_MD5
        SSL_RSA_WITH_DES_CBC_SHA
        SSL_DHE_RSA_WITH_DES_CBC_SHA
        SSL_RSA_EXPORT_WITH_DES_CBC_SHA
        SSL_RSA_EXPORT_WITH_RC4_40_MD5
        SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
        SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
        SSL_RSA_WITH_NULL_SHA
        SSL_RSA_WITH_NULL_MD5
</pre>
== Citrix Netscaler ==
The configuration sample below shows how a default ciphersuite object can be created and attached to a vserver.
<pre>
add ssl cipher MozillaDefault
bind ssl cipher MozillaDefault -cipherName TLS1-DHE-DSS-AES-128-CBC-SHA
bind ssl cipher MozillaDefault -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA
bind ssl cipher MozillaDefault -cipherName TLS1-DHE-DSS-AES-256-CBC-SHA
bind ssl cipher MozillaDefault -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA
bind ssl cipher MozillaDefault -cipherName TLS1-AES-256-CBC-SHA
bind ssl cipher MozillaDefault -cipherName TLS1-AES-128-CBC-SHA
bind ssl cipher MozillaDefault -cipherName SSL3-RC4-SHA


add ssl certKey <domain> -cert <cert> -key <key>
* Rationale:
add ssl certKey <intermediateCertName> -cert <intermediateCertName>
** All cipher suites are [https://en.wikipedia.org/wiki/Forward_secrecy forward secret] and [https://en.wikipedia.org/wiki/Authenticated_encryption authenticated]
link ssl certKey <domain> <intermediateCertName>
** TLS 1.2 is the minimum supported protocol, as recommended by [https://tools.ietf.org/html/rfc7525#section-3.1.1 RFC 7525], PCI DSS, and others
set ssl vserver <domain>:https -eRSA ENABLED
** ECDSA certificates are recommended over RSA certificates, as they allow the use of ECDHE with Windows 7 clients using Internet Explorer 11, as well as allow connections from IE11 on Windows Server 2008 R2
** The cipher suites are all strong and so we allow the client to choose, as they will know best if they have support for hardware-accelerated AES
bind ssl vserver <domain>:https -cipherName MozillaDefault
** Windows XP (including all embedded versions) are no longer supported by Microsoft, eliminating the need for many older protocols and ciphers
</pre>
** Administrators needing to provide access to [https://www.ssllabs.com/ssltest/viewClient.html?name=IE&version=11&platform=Win%207&key=36 IE 11 on Windows Server 2008 R2] and who are unable to switch to or add ECDSA certificates can add <tt>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</tt>
The configuration can be viewed with the following commands: ''show ssl cipher MozillaDefault''
** While the goal is to support a broad range of clients, we reasonably disable a number of ciphers that have little support (such as ARIA, Camellia, 3DES, and SEED)
** 90 days is the recommended maximum certificate lifespan, to encourage certificate issuance automation


<pre>
== <span style="color:gray;">'''Old'''</span> backward compatibility ==
> show ssl vserver marketplace.firefox.com:https
    Advanced SSL configuration for VServer marketplace.firefox.com:https:
    DH: DISABLED
    Ephemeral RSA: ENABLED        Refresh Count: 0
    Session Reuse: ENABLED        Timeout: 120 seconds
    Cipher Redirect: DISABLED
    SSLv2 Redirect: DISABLED
    ClearText Port: 0
    Client Auth: DISABLED
    SSL Redirect: DISABLED
    Non FIPS Ciphers: DISABLED
    SNI: DISABLED
    SSLv2: DISABLED    SSLv3: ENABLED    TLSv1: ENABLED
    Push Encryption Trigger: Always
    Send Close-Notify: YES
</pre>


= CipherScan =
This configuration is compatible with a number of very old clients, and should be used only as a last resort.


See https://github.com/jvehent/cipherscan
* Cipher suites (TLS 1.3): '''TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256'''
* Cipher suites (TLS 1.0 - 1.2): '''ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA'''
* Protocols: '''TLS 1.0, TLS 1.1, TLS 1.2, TLS 1.3'''
* TLS curves: '''X25519, prime256v1, secp384r1'''
* Certificate type: '''RSA (2048-bits)'''
* Certificate curve: '''None'''
* DH parameter size: '''1024''' (generated with <tt>openssl dhparam 1024</tt>)
* HSTS: '''max-age=63072000''' (two years)
* Certificate lifespan: '''90 days''' (recommended) to '''366 days'''
* Cipher preference: '''server chooses'''


Cipherscan is a small Bash script that connects to a target and list the preferred Ciphers. It's an easy way to test a web server for available ciphers, but not as comprehensive as SSLLabs.
<!-- This tabular openssl list can be produced by running "openssl ciphers -V" -->
 
<source>
The example below shows the expected output of CipherScan with the recommended ciphersuite, on a properly configured Nginx.
0x13,0x01  -  TLS_AES_128_GCM_SHA256        TLSv1.3  Kx=any  Au=any    Enc=AESGCM(128)            Mac=AEAD
 
0x13,0x02  -  TLS_AES_256_GCM_SHA384        TLSv1.3  Kx=any  Au=any    Enc=AESGCM(256)            Mac=AEAD
<source lang="bash">
0x13,0x03  -  TLS_CHACHA20_POLY1305_SHA256  TLSv1.3  Kx=any  Au=any    Enc=CHACHA20/POLY1305(256)  Mac=AEAD
$ ./CiphersScan.sh jve.linuxwall.info:443
0xC0,0x2B - ECDHE-ECDSA-AES128-GCM-SHA256  TLSv1.2 Kx=ECDH Au=ECDSA  Enc=AESGCM(128)            Mac=AEAD
prio ciphersuite                  protocol pfs_keysize
0xC0,0x2F  - ECDHE-RSA-AES128-GCM-SHA256    TLSv1.2 Kx=ECDH Au=RSA    Enc=AESGCM(128)            Mac=AEAD
1    ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2   ECDH,P-256,256bits
0xC0,0x2C  - ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH  Au=ECDSA  Enc=AESGCM(256)            Mac=AEAD
2    ECDHE-RSA-AES256-GCM-SHA384  TLSv1.2   ECDH,P-256,256bits
0xC0,0x30  -  ECDHE-RSA-AES256-GCM-SHA384   TLSv1.2 Kx=ECDH  Au=RSA    Enc=AESGCM(256)            Mac=AEAD
3    DHE-RSA-AES256-GCM-SHA384   TLSv1.2   DH,4096bits
0xCC,0xA9  -  ECDHE-ECDSA-CHACHA20-POLY1305  TLSv1.2 Kx=ECDH Au=ECDSA  Enc=CHACHA20/POLY1305(256)  Mac=AEAD
4    DHE-RSA-AES128-GCM-SHA256   TLSv1.2   DH,4096bits
0xCC,0xA8  - ECDHE-RSA-CHACHA20-POLY1305    TLSv1.2 Kx=ECDH Au=RSA    Enc=CHACHA20/POLY1305(256)  Mac=AEAD
5    ECDHE-RSA-AES128-SHA256      TLSv1.2   ECDH,P-256,256bits
0x00,0x9E  - DHE-RSA-AES128-GCM-SHA256     TLSv1.2 Kx=DH    Au=RSA    Enc=AESGCM(128)            Mac=AEAD
6    ECDHE-RSA-AES128-SHA        TLSv1.2   ECDH,P-256,256bits
0x00,0x9F  - DHE-RSA-AES256-GCM-SHA384      TLSv1.2 Kx=DH    Au=RSA    Enc=AESGCM(256)            Mac=AEAD
7    ECDHE-RSA-AES256-SHA384     TLSv1.2   ECDH,P-256,256bits
0xCC,0xAA  - DHE-RSA-CHACHA20-POLY1305      TLSv1.2 Kx=DH   Au=RSA    Enc=CHACHA20/POLY1305(256)  Mac=AEAD
8    ECDHE-RSA-AES256-SHA        TLSv1.2   ECDH,P-256,256bits
0xC0,0x23  -  ECDHE-ECDSA-AES128-SHA256      TLSv1.2 Kx=ECDH  Au=ECDSA  Enc=AES(128)                Mac=SHA256
9    DHE-RSA-AES128-SHA256        TLSv1.2   DH,4096bits
0xC0,0x27  -  ECDHE-RSA-AES128-SHA256        TLSv1.2 Kx=ECDH  Au=RSA    Enc=AES(128)                Mac=SHA256
10    DHE-RSA-AES128-SHA          TLSv1.2   DH,4096bits
0xC0,0x09  -  ECDHE-ECDSA-AES128-SHA        TLSv1    Kx=ECDH  Au=ECDSA  Enc=AES(128)                Mac=SHA1
11    DHE-RSA-AES256-SHA256        TLSv1.2   DH,4096bits
0xC0,0x13  -  ECDHE-RSA-AES128-SHA          TLSv1   Kx=ECDH  Au=RSA    Enc=AES(128)                Mac=SHA1
12    AES128-GCM-SHA256            TLSv1.2
0xC0,0x24  -  ECDHE-ECDSA-AES256-SHA384     TLSv1.2 Kx=ECDH  Au=ECDSA  Enc=AES(256)                Mac=SHA384
13    AES256-GCM-SHA384           TLSv1.2
0xC0,0x28  -  ECDHE-RSA-AES256-SHA384        TLSv1.2 Kx=ECDH Au=RSA    Enc=AES(256)                Mac=SHA384
14    ECDHE-RSA-RC4-SHA            TLSv1.2   ECDH,P-256,256bits
0xC0,0x0A  -  ECDHE-ECDSA-AES256-SHA         TLSv1   Kx=ECDH  Au=ECDSA  Enc=AES(256)                Mac=SHA1
15    RC4-SHA                     TLSv1.2
0xC0,0x14  -  ECDHE-RSA-AES256-SHA          TLSv1   Kx=ECDH  Au=RSA    Enc=AES(256)                Mac=SHA1
16    DHE-RSA-AES256-SHA          TLSv1.2  DH,4096bits
0x00,0x67  -  DHE-RSA-AES128-SHA256          TLSv1.2 Kx=DH   Au=RSA    Enc=AES(128)                Mac=SHA256
17    DHE-RSA-CAMELLIA256-SHA      TLSv1.2   DH,4096bits
0x00,0x6B  -  DHE-RSA-AES256-SHA256         TLSv1.2 Kx=DH    Au=RSA    Enc=AES(256)                Mac=SHA256
18    AES256-SHA256               TLSv1.2
0x00,0x9C  -  AES128-GCM-SHA256              TLSv1.2 Kx=RSA  Au=RSA    Enc=AESGCM(128)            Mac=AEAD
19    AES256-SHA                  TLSv1.2
0x00,0x9D  -  AES256-GCM-SHA384             TLSv1.2 Kx=RSA  Au=RSA    Enc=AESGCM(256)            Mac=AEAD
20    CAMELLIA256-SHA             TLSv1.2
0x00,0x3C  - AES128-SHA256                  TLSv1.2 Kx=RSA   Au=RSA    Enc=AES(128)                Mac=SHA256
21    DHE-RSA-CAMELLIA128-SHA      TLSv1.2  DH,4096bits
0x00,0x3D  -  AES256-SHA256                 TLSv1.2 Kx=RSA  Au=RSA    Enc=AES(256)                Mac=SHA256
22    AES128-SHA256               TLSv1.2
0x00,0x2F  -  AES128-SHA                     SSLv3    Kx=RSA  Au=RSA    Enc=AES(128)                Mac=SHA1
23    AES128-SHA                   TLSv1.2
0x00,0x35  -  AES256-SHA                    SSLv3    Kx=RSA  Au=RSA   Enc=AES(256)                Mac=SHA1
24   CAMELLIA128-SHA             TLSv1.2
0x00,0x0A  -  DES-CBC3-SHA                   SSLv3    Kx=RSA  Au=RSA    Enc=3DES(168)              Mac=SHA1
</source>
</source>


= SSL Labs (Qualys) =
* Rationale:
 
** Take a hard look at your infrastructure needs before using this configuration; it is intended for special use cases only
Available here: https://www.ssllabs.com/ssltest/
** If possible, use this configuration only for endpoints that require it, segregating it from other traffic
** SSLv3 has been disabled entirely, ending support for older Windows XP SP2 clients. Users requiring support for Windows XP SP2 may use [[Security/Archive/Server Side TLS 4.0|previous versions]] of this configuration, with the caveat that SSLv3 is no longer safe to use
** This configuration requires custom builds to work with modern versions of OpenSSL, using <tt>enable-ssl3</tt>, <tt>enable-ssl3-method</tt>, <tt>enable-deprecated</tt>, and <tt>enable-weak-ssl-ciphers</tt>
** Most ciphers that are not clearly broken and dangerous to use are supported


Qualys SSL Labs provides a very nice and comprehensive SSL testing suite.
= JSON version of the recommendations =


GlobalSign has a modified interface of SSL Labs with a few more bells and whistles: https://sslcheck.globalsign.com/
<p style="max-width: 60em;">Mozilla also maintains [https://ssl-config.mozilla.org/guidelines/5.7.json these recommendations] in JSON format, for automated system configuration. This location is versioned and permanent, and can be referenced in scripts and tools. The file will not change, to avoid breaking tools when we update the recommendations.</p>


= Appendices =
<p style="max-width: 60em;">We also maintain a [https://ssl-config.mozilla.org/guidelines/latest.json rolling version] of these recommendations, with the caveat that they may change '''without warning''' and '''without providing backwards compatibility'''. As it may break things if you use it to automatically configure your servers without review, we recommend you use the [https://ssl-config.mozilla.org/guidelines/5.7.json version-specific file] instead.</p>
== Supported ciphers on various systems ==


On a variety of ~900 systems (RHEL5 & 6, CentOS 5 & 6 and Ubuntu), the following versions of OpenSSL were found:
= Version History =
{| class="wikitable"
{| class="wikitable"
|-
|-
| 37 || OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
! Version
! Editor
! Changes
|-
| style="text-align: center;" | 5.7
| style="text-align: center;" | Gene Wood
| Add DHE-RSA-CHACHA20-POLY1305 cipher to the Intermediate configuration
|-
| style="text-align: center;" | 5.6
| style="text-align: center;" | April King
| Fixed incorrect cipher ordering for the Intermediate configuration
|-
| style="text-align: center;" | 5.5
| style="text-align: center;" | April King
| Update certificate lifespan to reflect browser policy changes
|-
| style="text-align: center;" | 5.3
| style="text-align: center;" | April King
| Bump links to point to 5.3 guidelines, since it fixes a small JSON error
|-
| style="text-align: center;" | 5.0.1
| style="text-align: center;" | April King
| Add note about IE 11 on Windows Server 2008 R2
|-
| style="text-align: center;" | 5.0
| style="text-align: center;" | April King
| Server Side TLS 5.0
|-
| style="text-align: center;" | 4.2
| style="text-align: center;" | April King
| Updated cipher suite table
|-
|-
| 35 || OpenSSL 0.9.8k 25 Mar 2009
| style="text-align: center;" | 4.1
| style="text-align: center;" | Julien Vehent
| Clarify Logjam notes, Clarify risk of TLS Tickets
|-
|-
| 777 || OpenSSL 1.0.0-fips 29 Mar 2010
| style="text-align: center;" | 4
| style="text-align: center;" | Julien Vehent
| Recommend ECDSA in modern level, remove DSS ciphers, publish configurations as JSON
|-
|-
| 18 || OpenSSL 1.0.1 14 Mar 2012
| style="text-align: center;" | 3.8
|}
| style="text-align: center;" | Julien Vehent
 
| redo cipher names chart (April King), move version chart (April King), update Intermediate cipher suite (ulfr)
The recommended ciphersuite was tested on each system. The list below shows the ciphersuites supported by all tested systems. However old your setup may be, it is safe to assume that the following ciphers are going to be available, in the following order:
|-
 
| style="text-align: center;" | 3.7
{| class="wikitable"
| style="text-align: center;" | Julien Vehent
| cleanup version table (April King), add F5 conf samples (warburtron), add notes about DHE (rgacogne)
|-
| style="text-align: center;" | 3.6
| style="text-align: center;" | Julien Vehent
| bump intermediate DHE to 2048, add note about java compatibility
|-
| style="text-align: center;" | 3.5
| style="text-align: center;" | alm
| comment on weakdh vulnerability
|-
| style="text-align: center;" | 3.4
| style="text-align: center;" | Julien Vehent
| added note about session resumption, HSTS, and HPKP
|-
| style="text-align: center;" | 3.3
| style="text-align: center;" | Julien Vehent
| fix SHA256 prio, add POODLE details, update various templates
|-
| style="text-align: center;" | 3.2
| style="text-align: center;" | Julien Vehent
| Added intermediate compatibility mode, renamed other modes
|-
| style="text-align: center;" | 3.1
| style="text-align: center;" | Julien Vehent
| Added non-backward compatible ciphersuite
|-
| style="text-align: center;" | 3
| style="text-align: center;" | Julien Vehent
| Remove RC4 for 3DES, fix ordering in openssl 0.9.8 ([https://bugzilla.mozilla.org/show_bug.cgi?id=1024430 1024430]), various minor updates
|-
| style="text-align: center;" | 2.5.1
| style="text-align: center;" | Julien Vehent
| Revisit ELB capabilities
|-
| style="text-align: center;" | 2.5
| style="text-align: center;" | Julien Vehent
| Update ZLB information for OCSP Stapling and ciphersuite
|-
| style="text-align: center;" | 2.4
| style="text-align: center;" | Julien Vehent
| Moved a couple of aes128 above aes256 in the ciphersuite
|-
| style="text-align: center;" | 2.3
| style="text-align: center;" | Julien Vehent
| Precisions on IE 7/8 AES support (thanks to Dobin Rutishauser)
|-
| style="text-align: center;" | 2.2
| style="text-align: center;" | Julien Vehent
| Added IANA/OpenSSL/GnuTLS correspondence table and conversion tool
|-
| style="text-align: center;" | 2.1
| style="text-align: center;" | Julien Vehent
| RC4 vs 3DES discussion. r=joes r=tinfoil
|-
| style="text-align: center;" | 2.0
| style="text-align: center;" | Julien Vehent, kang
| Public release.
|-
| style="text-align: center;" | 1.5
| style="text-align: center;" | Julien Vehent, kang
| added details for PFS DHE handshake, added nginx configuration details; added Apache recommended conf
|-
|-
! Cipher !! Has Forward Secrecy !! Issues
| style="text-align: center;" | 1.4
|-  
| style="text-align: center;" | Julien Vehent
| RC4-SHA || No || RC4 Warning
| revised ciphersuite. Prefer AES before RC4. Prefer 128 before 256. Prefer DHE before non-DHE.
|-
|-
| DHE-RSA-AES128-SHA || Yes || vulnerable to BEAST
| style="text-align: center;" | 1.3
| style="text-align: center;" | Julien Vehent
| added netscaler example conf
|-
|-
| DHE-RSA-AES256-SHA || Yes || vulnerable to BEAST
| style="text-align: center;" | 1.2
| style="text-align: center;" | Julien Vehent
| ciphersuite update, bump DHE-AESGCM above ECDH-RC4
|-
|-
| AES256-SHA || No || vulnerable to BEAST
| style="text-align: center;" | 1.1
| style="text-align: center;" | Julien Vehent, kang
| integrated review comments from Infra; SPDY information
|-
|-
| DHE-DSS-AES128-SHA || Yes || vulnerable to BEAST
| style="text-align: center;" | 1.0
| style="text-align: center;" | Julien Vehent
| creation
|-
|-
| DHE-DSS-AES256-SHA || Yes || vulnerable to BEAST
| colspan="3" | &nbsp;
|-
|-
| AES128-SHA || No || vulnerable to BEAST
| colspan="2" style="border-right: none;" | '''Document Status:'''
| style="border-left: none; color:green; text-align: center;" | '''READY'''
|}
|}
== Attacks on TLS ==
=== BEAST CVE-2011-3389 ===
Beast is a vulnerability in the Initialization Vector (IV) of the CBC mode of AES, Camellia and a few other ciphers that use CBC mode. The attack allows a  MITM attacker to recover plaintext values by encrypted the same message multiple times.
BEAST is mitigated in TLS1.1 and above.
more: https://blog.torproject.org/blog/tor-and-beast-ssl-attack
=== LUCKY13 ===
Lucky13 is another attack on CBC mode that listen for padding checks to decrypt ciphertext.
more: https://www.imperialviolet.org/2013/02/04/luckythirteen.html
=== RC4 weaknesses ===
It has been proven that RC4 biases in the first 256 bytes of a cipherstream can be used to recover encrypted text. If the same data is encrypted a very large amount of time, then an attacker can apply statistical analysis to the results and recover the encrypted text. While hard to perform, this attack shows that it is time to push RC4 down the ciphersuite.
more: http://security.stackexchange.com/questions/32497/tls-rc4-or-not-rc4
=== CRIME CVE-2012-4929 ===
The root cause of the problem is information leakage that occurs when data is compressed prior to encryption. If someone can repeatedly inject and mix arbitrary content with some sensitive and relatively predictable data, and observe the resulting encrypted stream, then he will be able to extract the unknown data from it.
more: https://community.qualys.com/blogs/securitylabs/2012/09/14/crime-information-leakage-attack-against-ssltls
=== BREACH ===
This is a more complex attack than CRIME, which does not require TLS-level compression (it still needs HTTP-level compression).
In order to be successful, it requires to:
# Be served from a server that uses HTTP-level compression
# Reflect user-input in HTTP response bodies
# Reflect a secret (such as a CSRF token) in HTTP response bodies
more: http://breachattack.com/
== SPDY ==
(see also http://en.wikipedia.org/wiki/SPDY)
SPDY is a protocol that incorporate TLS, which attempts to reduce latency when loading pages. It is currently not an HTTP standard (albeit it is being drafted for HTTP 2.0), but is widely supported.
SPDY version 3 is vulnerable to the CRIME attack (see also http://zoompf.com/2012/09/explaining-the-crime-weakness-in-spdy-and-ssl) - this is due to the use of compression. Clients currently implement a non-standard hack in with gzip in order to circumvent the vulnerability. SPDY version 4 is planned to include a proper fix.
== TLS tickets (RFC 5077) ==
Once a TLS handshake has been negociated between the server and the client, both may exchange a session ticket, which contains an AES-CBC 128bit key which can decrypt the session. This key is generally static and only regenerated when the web server is restarted (with recent versions of Apache, it's stored in a file and also kept upon restarts).
The current work-around is to disable RFC 5077 support.
more: https://media.blackhat.com/us-13/US-13-Daigniere-TLS-Secrets-Slides.pdf
== Nginx configuration details ==
Originally published on Julien Vehent's blog at https://jve.linuxwall.info/blog/index.php?post/2013/10/12/A-grade-SSL/TLS-with-Nginx-and-StartSSL
=== Building Nginx ===
To build Nginx from source, you will need a copy of the PCRE and OpenSSL libraries:
* PCRE can be found here: ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/
* OpenSSL can be found here: http://www.openssl.org/source/
Decompress both libraries next to the Nginx source code:
<pre>
julien@sachiel:~/nginx_openssl$ ls
build_static_nginx.sh  nginx  openssl-1.0.1e  pcre-8.33
</pre>
The script build_static_nginx.sh takes care of the rest. It should work out of the box, but you might have to edit the paths if you have different versions of the libraries. I builds a static version of OpenSSL into Nginx, so you don't have to install the openssl libs afterward.
<source lang="bash">
#!/usr/bin/env bash
export BPATH=$(pwd)
export STATICLIBSSL="$BPATH/staticlibssl"
#-- Build static openssl
cd $BPATH/openssl-1.0.1e
rm -rf "$STATICLIBSSL"
mkdir "$STATICLIBSSL"
make clean
./config --prefix=$STATICLIBSSL no-shared enable-ec_nistp_64_gcc_128 \
&& make depend \
&& make \
&& make install_sw
#-- Build nginx
hg clone http://hg.nginx.org/nginx
cd $BPATH/nginx
mkdir -p $BPATH/opt/nginx
hg pull
./auto/configure --with-cc-opt="-I $STATICLIBSSL/include -I/usr/include" \
--with-ld-opt="-L $STATICLIBSSL/lib -Wl,-rpath -lssl -lcrypto -ldl -lz" \
--prefix=$BPATH/opt/nginx \
--with-pcre=$BPATH/pcre-8.33 \
--with-http_ssl_module \
--with-http_spdy_module \
--with-file-aio \
--with-ipv6 \
--with-http_gzip_static_module \
--with-http_stub_status_module \
--without-mail_pop3_module \
--without-mail_smtp_module \
--without-mail_imap_module \
&& make && make install
NGINXBIN=$BPATH/opt/nginx/sbin/nginx
if [ -x $NGINXBIN ]; then
    $NGINXBIN -V
    echo -e "\nNginx binary build in $BPATH/opt/nginx/sbin/nginx\n"
fi
</source>
=== Server Name Identification ===
Support for SNI is built into recent versions of nginx. Use nginx -V to check:
<pre>
# /opt/nginx -V
...
TLS SNI support enabled
...
</pre>
=== Configuration directives ===
==== ssl_certificate ====
This parameter points to file that contains the server and intermediate certificates, concatenated together. Nginx loads that file and sends its content in the SERVER HELLO message during the handshake.
==== ssl_certificate_key ====
This is the path to the private key.
==== ssl_dhparam ====
When DHE ciphers are used, a prime number is shared between server and client to perform the Diffie-Hellman Key Exchange. I won't get into the details of Perfect Forward Secrecy here, but do know that the larger the prime is, the better the security. Nginx lets you specify the prime number you want the server to send to the client in the ssl_dhparam directive. The prime number is sent by the server to the client in the Server Key Exchange message of the handshake. To generate the dhparam, use ''openssl dhparam 4096''
A word of warning though, it appears that Java 6 does not support dhparam larger than 1024 bits. Clients that use Java 6 won't be able to connect to your site if you use a larger dhparam. (there might be issues with other libraries as well, I only know about the java one).
==== ssl_session_timeout ====
When a client connects multiple time to a server, the server uses session caching to accelerate the subsequent handshakes, effectively reusing the session key generated in the first handshake multiple times. This is called session resumption. This parameter sets the session timeout to 5 minutes, meaning that the session key will be deleted from the cache if not used for 5 minutes.
==== ssl_session_cache ====
The session cache is a shared memory that contains all the session keys. All the Nginx workers can access the shared memory. It is used for session resumption, and significantly reduces handshake latency when one client connects multiple times.
==== ssl_protocols ====
List the versions of TLS you wish to support. It's pretty much safe to disable SSLv3 these days, but TLSv1 is still required by a bunch of clients. Remember that clients are not only web browsers, but also libraries that might be used to crawl your site.
==== ssl_ciphers ====
The ciphersuite is truly the core of an SSL configuration. Mine is very long, and I spent a ridiculous amount of time researching it. I won't get into the details of its construction here, as I'll be writing more on this in the next few weeks.
==== ssl_prefer_server_ciphers ====
This parameter force nginx to pick the preferred cipher from its own ciphersuite, as opposed to using the one preferred by the client. This is an important option since most clients have unsafe or outdated preferences, and you'll most likely provide better security by enforcing a strong ciphersuite server-side.
==== HTTP Strict Transport Security ====
HSTS is a HTTP header that tells clients to connect to the site using HTTPS only. It enforces security, by telling clients that any HTTP URL to a given site should be ignored. The directive is cached on the client size for the duration of max-age. In this case, 182 days.
==== ssl_stapling ====
Nginx supports OCSP stapling in two modes. The OCSP file can be downloaded and made available to nginx, or nginx itself can retrieve the OCSP record and cache it. The second mode is recommended.
==== ssl_stapling_verify ====
Nginx has the ability to verify the OCSP record before caching it. But to enable it, a list of trusted certificate must be available in the ssl_trusted_certificate parameter.
==== ssl_trusted_certificate ====
This is a path to a file where CA certificates are concatenated. For ssl_stapling_verify to work, this file must contain the Root CA cert and the Intermediate CA certificates. In the case of StartSSL, the Root CA and Intermediate I use are here: https://jve.linuxwall.info/ressources/code/startssl_trust_chain.txt
==== resolver ====
Nginx needs a DNS resolver to obtain the IP address of the OCSP responder.

Latest revision as of 22:47, 16 May 2023

The goal of this document is to help operational teams with the configuration of TLS. All Mozilla websites and deployments should follow the recommendations below.

Mozilla maintains this document as a reference guide for navigating the TLS landscape, as well as a configuration generator to assist system administrators. Changes are reviewed and merged by the Mozilla Operations Security and Enterprise Information Security teams.

Updates to this page should be submitted to the server-side-tls repository on GitHub. Issues related to the configuration generator are maintained in their own GitHub repository.

In the interests of usability and maintainability, these guidelines have been considerably simplified from the previous guidelines.

Recommended configurations

Mozilla SSL Configuration Generator
The Mozilla SSL Configuration Generator Mozilla maintains three recommended configurations for servers using TLS. Pick the correct configuration depending on your audience:

  • Modern: Modern clients that support TLS 1.3, with no need for backwards compatibility
  • Intermediate: Recommended configuration for a general-purpose server
  • Old: Services accessed by very old clients or libraries, such as Internet Explorer 8 (Windows XP), Java 6, or OpenSSL 0.9.8
Configuration Firefox Android Chrome Edge Internet Explorer Java OpenSSL Opera Safari
Modern 63 10.0 70 75 -- 11 1.1.1 57 12.1
Intermediate 27 4.4.2 31 12 11 (Win7) 8u31 1.0.1 20 9
Old 1 2.3 1 12 8 (WinXP) 6 0.9.8 5 1

The ordering of cipher suites in the Old configuration is very important, as it determines the priority with which algorithms are selected.

OpenSSL will ignore cipher suites it doesn't understand, so always use the full set of cipher suites below, in their recommended order. The use of the Old configuration with modern versions of OpenSSL may require custom builds with support for deprecated ciphers.


Modern compatibility

For services with clients that support TLS 1.3 and don't need backward compatibility, the Modern configuration provides an extremely high level of security.

  • Cipher suites (TLS 1.3): TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
  • Cipher suites (TLS 1.2): (none)
  • Protocols: TLS 1.3
  • Certificate type: ECDSA (P-256)
  • TLS curves: X25519, prime256v1, secp384r1
  • HSTS: max-age=63072000 (two years)
  • Certificate lifespan: 90 days
  • Cipher preference: client chooses
0x13,0x01  -  TLS_AES_128_GCM_SHA256        TLSv1.3  Kx=any  Au=any  Enc=AESGCM(128)             Mac=AEAD
0x13,0x02  -  TLS_AES_256_GCM_SHA384        TLSv1.3  Kx=any  Au=any  Enc=AESGCM(256)             Mac=AEAD
0x13,0x03  -  TLS_CHACHA20_POLY1305_SHA256  TLSv1.3  Kx=any  Au=any  Enc=CHACHA20/POLY1305(256)  Mac=AEAD
  • Rationale:
    • All cipher suites are forward secret and authenticated
    • The cipher suites are all strong and so we allow the client to choose, as they will know best if they have support for hardware-accelerated AES
    • We recommend ECDSA certificates using P-256, as P-384 provides negligible improvements to security and Ed25519 is not yet widely supported

Intermediate compatibility (recommended)

For services that don't need compatibility with legacy clients such as Windows XP or old versions of OpenSSL. This is the recommended configuration for the vast majority of services, as it is highly secure and compatible with nearly every client released in the last five (or more) years.

  • Cipher suites (TLS 1.3): TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
  • Cipher suites (TLS 1.2): ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
  • Protocols: TLS 1.2, TLS 1.3
  • TLS curves: X25519, prime256v1, secp384r1
  • Certificate type: ECDSA (P-256) (recommended), or RSA (2048 bits)
  • DH parameter size: 2048 (ffdhe2048, RFC 7919)
  • HSTS: max-age=63072000 (two years)
  • Certificate lifespan: 90 days (recommended) to 366 days
  • Cipher preference: client chooses
0x13,0x01  -  TLS_AES_128_GCM_SHA256         TLSv1.3  Kx=any   Au=any    Enc=AESGCM(128)             Mac=AEAD
0x13,0x02  -  TLS_AES_256_GCM_SHA384         TLSv1.3  Kx=any   Au=any    Enc=AESGCM(256)             Mac=AEAD
0x13,0x03  -  TLS_CHACHA20_POLY1305_SHA256   TLSv1.3  Kx=any   Au=any    Enc=CHACHA20/POLY1305(256)  Mac=AEAD
0xC0,0x2B  -  ECDHE-ECDSA-AES128-GCM-SHA256  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AESGCM(128)             Mac=AEAD
0xC0,0x2F  -  ECDHE-RSA-AES128-GCM-SHA256    TLSv1.2  Kx=ECDH  Au=RSA    Enc=AESGCM(128)             Mac=AEAD
0xC0,0x2C  -  ECDHE-ECDSA-AES256-GCM-SHA384  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AESGCM(256)             Mac=AEAD
0xC0,0x30  -  ECDHE-RSA-AES256-GCM-SHA384    TLSv1.2  Kx=ECDH  Au=RSA    Enc=AESGCM(256)             Mac=AEAD
0xCC,0xA9  -  ECDHE-ECDSA-CHACHA20-POLY1305  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=CHACHA20/POLY1305(256)  Mac=AEAD
0xCC,0xA8  -  ECDHE-RSA-CHACHA20-POLY1305    TLSv1.2  Kx=ECDH  Au=RSA    Enc=CHACHA20/POLY1305(256)  Mac=AEAD
0x00,0x9E  -  DHE-RSA-AES128-GCM-SHA256      TLSv1.2  Kx=DH    Au=RSA    Enc=AESGCM(128)             Mac=AEAD
0x00,0x9F  -  DHE-RSA-AES256-GCM-SHA384      TLSv1.2  Kx=DH    Au=RSA    Enc=AESGCM(256)             Mac=AEAD
0xCC,0xAA  -  DHE-RSA-CHACHA20-POLY1305      TLSv1.2  Kx=DH    Au=RSA    Enc=CHACHA20/POLY1305(256)  Mac=AEAD
  • Rationale:
    • All cipher suites are forward secret and authenticated
    • TLS 1.2 is the minimum supported protocol, as recommended by RFC 7525, PCI DSS, and others
    • ECDSA certificates are recommended over RSA certificates, as they allow the use of ECDHE with Windows 7 clients using Internet Explorer 11, as well as allow connections from IE11 on Windows Server 2008 R2
    • The cipher suites are all strong and so we allow the client to choose, as they will know best if they have support for hardware-accelerated AES
    • Windows XP (including all embedded versions) are no longer supported by Microsoft, eliminating the need for many older protocols and ciphers
    • Administrators needing to provide access to IE 11 on Windows Server 2008 R2 and who are unable to switch to or add ECDSA certificates can add TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
    • While the goal is to support a broad range of clients, we reasonably disable a number of ciphers that have little support (such as ARIA, Camellia, 3DES, and SEED)
    • 90 days is the recommended maximum certificate lifespan, to encourage certificate issuance automation

Old backward compatibility

This configuration is compatible with a number of very old clients, and should be used only as a last resort.

  • Cipher suites (TLS 1.3): TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
  • Cipher suites (TLS 1.0 - 1.2): ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA
  • Protocols: TLS 1.0, TLS 1.1, TLS 1.2, TLS 1.3
  • TLS curves: X25519, prime256v1, secp384r1
  • Certificate type: RSA (2048-bits)
  • Certificate curve: None
  • DH parameter size: 1024 (generated with openssl dhparam 1024)
  • HSTS: max-age=63072000 (two years)
  • Certificate lifespan: 90 days (recommended) to 366 days
  • Cipher preference: server chooses
0x13,0x01  -  TLS_AES_128_GCM_SHA256         TLSv1.3  Kx=any   Au=any    Enc=AESGCM(128)             Mac=AEAD
0x13,0x02  -  TLS_AES_256_GCM_SHA384         TLSv1.3  Kx=any   Au=any    Enc=AESGCM(256)             Mac=AEAD
0x13,0x03  -  TLS_CHACHA20_POLY1305_SHA256   TLSv1.3  Kx=any   Au=any    Enc=CHACHA20/POLY1305(256)  Mac=AEAD
0xC0,0x2B  -  ECDHE-ECDSA-AES128-GCM-SHA256  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AESGCM(128)             Mac=AEAD
0xC0,0x2F  -  ECDHE-RSA-AES128-GCM-SHA256    TLSv1.2  Kx=ECDH  Au=RSA    Enc=AESGCM(128)             Mac=AEAD
0xC0,0x2C  -  ECDHE-ECDSA-AES256-GCM-SHA384  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AESGCM(256)             Mac=AEAD
0xC0,0x30  -  ECDHE-RSA-AES256-GCM-SHA384    TLSv1.2  Kx=ECDH  Au=RSA    Enc=AESGCM(256)             Mac=AEAD
0xCC,0xA9  -  ECDHE-ECDSA-CHACHA20-POLY1305  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=CHACHA20/POLY1305(256)  Mac=AEAD
0xCC,0xA8  -  ECDHE-RSA-CHACHA20-POLY1305    TLSv1.2  Kx=ECDH  Au=RSA    Enc=CHACHA20/POLY1305(256)  Mac=AEAD
0x00,0x9E  -  DHE-RSA-AES128-GCM-SHA256      TLSv1.2  Kx=DH    Au=RSA    Enc=AESGCM(128)             Mac=AEAD
0x00,0x9F  -  DHE-RSA-AES256-GCM-SHA384      TLSv1.2  Kx=DH    Au=RSA    Enc=AESGCM(256)             Mac=AEAD
0xCC,0xAA  -  DHE-RSA-CHACHA20-POLY1305      TLSv1.2  Kx=DH    Au=RSA    Enc=CHACHA20/POLY1305(256)  Mac=AEAD
0xC0,0x23  -  ECDHE-ECDSA-AES128-SHA256      TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AES(128)                Mac=SHA256
0xC0,0x27  -  ECDHE-RSA-AES128-SHA256        TLSv1.2  Kx=ECDH  Au=RSA    Enc=AES(128)                Mac=SHA256
0xC0,0x09  -  ECDHE-ECDSA-AES128-SHA         TLSv1    Kx=ECDH  Au=ECDSA  Enc=AES(128)                Mac=SHA1
0xC0,0x13  -  ECDHE-RSA-AES128-SHA           TLSv1    Kx=ECDH  Au=RSA    Enc=AES(128)                Mac=SHA1
0xC0,0x24  -  ECDHE-ECDSA-AES256-SHA384      TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AES(256)                Mac=SHA384
0xC0,0x28  -  ECDHE-RSA-AES256-SHA384        TLSv1.2  Kx=ECDH  Au=RSA    Enc=AES(256)                Mac=SHA384
0xC0,0x0A  -  ECDHE-ECDSA-AES256-SHA         TLSv1    Kx=ECDH  Au=ECDSA  Enc=AES(256)                Mac=SHA1
0xC0,0x14  -  ECDHE-RSA-AES256-SHA           TLSv1    Kx=ECDH  Au=RSA    Enc=AES(256)                Mac=SHA1
0x00,0x67  -  DHE-RSA-AES128-SHA256          TLSv1.2  Kx=DH    Au=RSA    Enc=AES(128)                Mac=SHA256
0x00,0x6B  -  DHE-RSA-AES256-SHA256          TLSv1.2  Kx=DH    Au=RSA    Enc=AES(256)                Mac=SHA256
0x00,0x9C  -  AES128-GCM-SHA256              TLSv1.2  Kx=RSA   Au=RSA    Enc=AESGCM(128)             Mac=AEAD
0x00,0x9D  -  AES256-GCM-SHA384              TLSv1.2  Kx=RSA   Au=RSA    Enc=AESGCM(256)             Mac=AEAD
0x00,0x3C  -  AES128-SHA256                  TLSv1.2  Kx=RSA   Au=RSA    Enc=AES(128)                Mac=SHA256
0x00,0x3D  -  AES256-SHA256                  TLSv1.2  Kx=RSA   Au=RSA    Enc=AES(256)                Mac=SHA256
0x00,0x2F  -  AES128-SHA                     SSLv3    Kx=RSA   Au=RSA    Enc=AES(128)                Mac=SHA1
0x00,0x35  -  AES256-SHA                     SSLv3    Kx=RSA   Au=RSA    Enc=AES(256)                Mac=SHA1
0x00,0x0A  -  DES-CBC3-SHA                   SSLv3    Kx=RSA   Au=RSA    Enc=3DES(168)               Mac=SHA1
  • Rationale:
    • Take a hard look at your infrastructure needs before using this configuration; it is intended for special use cases only
    • If possible, use this configuration only for endpoints that require it, segregating it from other traffic
    • SSLv3 has been disabled entirely, ending support for older Windows XP SP2 clients. Users requiring support for Windows XP SP2 may use previous versions of this configuration, with the caveat that SSLv3 is no longer safe to use
    • This configuration requires custom builds to work with modern versions of OpenSSL, using enable-ssl3, enable-ssl3-method, enable-deprecated, and enable-weak-ssl-ciphers
    • Most ciphers that are not clearly broken and dangerous to use are supported

JSON version of the recommendations

Mozilla also maintains these recommendations in JSON format, for automated system configuration. This location is versioned and permanent, and can be referenced in scripts and tools. The file will not change, to avoid breaking tools when we update the recommendations.

We also maintain a rolling version of these recommendations, with the caveat that they may change without warning and without providing backwards compatibility. As it may break things if you use it to automatically configure your servers without review, we recommend you use the version-specific file instead.

Version History

Version Editor Changes
5.7 Gene Wood Add DHE-RSA-CHACHA20-POLY1305 cipher to the Intermediate configuration
5.6 April King Fixed incorrect cipher ordering for the Intermediate configuration
5.5 April King Update certificate lifespan to reflect browser policy changes
5.3 April King Bump links to point to 5.3 guidelines, since it fixes a small JSON error
5.0.1 April King Add note about IE 11 on Windows Server 2008 R2
5.0 April King Server Side TLS 5.0
4.2 April King Updated cipher suite table
4.1 Julien Vehent Clarify Logjam notes, Clarify risk of TLS Tickets
4 Julien Vehent Recommend ECDSA in modern level, remove DSS ciphers, publish configurations as JSON
3.8 Julien Vehent redo cipher names chart (April King), move version chart (April King), update Intermediate cipher suite (ulfr)
3.7 Julien Vehent cleanup version table (April King), add F5 conf samples (warburtron), add notes about DHE (rgacogne)
3.6 Julien Vehent bump intermediate DHE to 2048, add note about java compatibility
3.5 alm comment on weakdh vulnerability
3.4 Julien Vehent added note about session resumption, HSTS, and HPKP
3.3 Julien Vehent fix SHA256 prio, add POODLE details, update various templates
3.2 Julien Vehent Added intermediate compatibility mode, renamed other modes
3.1 Julien Vehent Added non-backward compatible ciphersuite
3 Julien Vehent Remove RC4 for 3DES, fix ordering in openssl 0.9.8 (1024430), various minor updates
2.5.1 Julien Vehent Revisit ELB capabilities
2.5 Julien Vehent Update ZLB information for OCSP Stapling and ciphersuite
2.4 Julien Vehent Moved a couple of aes128 above aes256 in the ciphersuite
2.3 Julien Vehent Precisions on IE 7/8 AES support (thanks to Dobin Rutishauser)
2.2 Julien Vehent Added IANA/OpenSSL/GnuTLS correspondence table and conversion tool
2.1 Julien Vehent RC4 vs 3DES discussion. r=joes r=tinfoil
2.0 Julien Vehent, kang Public release.
1.5 Julien Vehent, kang added details for PFS DHE handshake, added nginx configuration details; added Apache recommended conf
1.4 Julien Vehent revised ciphersuite. Prefer AES before RC4. Prefer 128 before 256. Prefer DHE before non-DHE.
1.3 Julien Vehent added netscaler example conf
1.2 Julien Vehent ciphersuite update, bump DHE-AESGCM above ECDH-RC4
1.1 Julien Vehent, kang integrated review comments from Infra; SPDY information
1.0 Julien Vehent creation
 
Document Status: READY
Retrieved from "https://wiki.allizom.org/index.php?title=Security/Server_Side_TLS&oldid=1246509"