MozillaWiki

Security/Server Side TLS: Difference between revisions

Page Discussion

Security/Server Side TLS (view source)

Revision as of 21:01, 5 January 2016

5,112 bytes added ,  5 January 2016
sync with github
(Pull 3.8(.1) for minor formatting fix)
(sync with github)
Line 39: Line 39:
* Elliptic curves: '''secp256r1, secp384r1, secp521r1''' (at a minimum)
* Elliptic curves: '''secp256r1, secp384r1, secp521r1''' (at a minimum)
* Certificate signature: '''SHA-256'''
* Certificate signature: '''SHA-256'''
* HSTS: '''max-age=15724800'''
* HSTS: '''max-age=15768000'''


== <span style="color:orange;">'''Intermediate'''</span> compatibility (default) ==
== <span style="color:orange;">'''Intermediate'''</span> compatibility (default) ==
For services that don't need compatibility with legacy clients (mostly WinXP), but still need to support a wide range of clients, this configuration is recommended. It is is compatible with Firefox 1, Chrome 1, IE 7, Opera 5 and Safari 1.
For services that don't need compatibility with legacy clients (mostly WinXP), but still need to support a wide range of clients, this configuration is recommended. It is is compatible with Firefox 1, Chrome 1, IE 7, Opera 5 and Safari 1.


* Ciphersuite: '''ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'''
* Ciphersuite: '''ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'''
* Versions: '''TLSv1, TLSv1.1, TLSv1.2'''
* Versions: '''TLSv1, TLSv1.1, TLSv1.2'''
* RSA key size: '''2048'''
* RSA key size: '''2048'''
Line 55: Line 55:
This is the old ciphersuite that works with all clients back to Windows XP/IE6. It should be used as a last resort only.
This is the old ciphersuite that works with all clients back to Windows XP/IE6. It should be used as a last resort only.


* Ciphersuite: '''ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'''
* Ciphersuite: '''ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'''
* Versions: '''SSLv3, TLSv1, TLSv1.1, TLSv1.2'''
* Versions: '''SSLv3, TLSv1, TLSv1.1, TLSv1.2'''
* RSA key size: '''2048'''
* RSA key size: '''2048'''
Line 71: Line 71:


<source lang="bash">
<source lang="bash">
$ openssl ciphers -V 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'|column -t
$ openssl ciphers -V 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'|column -t
0xC0,0x2F  -  ECDHE-RSA-AES128-GCM-SHA256    TLSv1.2  Kx=ECDH  Au=RSA    Enc=AESGCM(128)    Mac=AEAD
0xC0,0x2B  -  ECDHE-ECDSA-AES128-GCM-SHA256  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AESGCM(128)    Mac=AEAD
0xC0,0x30  -  ECDHE-RSA-AES256-GCM-SHA384    TLSv1.2  Kx=ECDH  Au=RSA    Enc=AESGCM(256)    Mac=AEAD
0xC0,0x2C  -  ECDHE-ECDSA-AES256-GCM-SHA384  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AESGCM(256)    Mac=AEAD
0x00,0x9E  -  DHE-RSA-AES128-GCM-SHA256      TLSv1.2  Kx=DH    Au=RSA    Enc=AESGCM(128)    Mac=AEAD
0x00,0xA2  -  DHE-DSS-AES128-GCM-SHA256      TLSv1.2  Kx=DH    Au=DSS    Enc=AESGCM(128)    Mac=AEAD
0x00,0xA3  -  DHE-DSS-AES256-GCM-SHA384      TLSv1.2  Kx=DH    Au=DSS    Enc=AESGCM(256)    Mac=AEAD
0x00,0x9F  -  DHE-RSA-AES256-GCM-SHA384      TLSv1.2  Kx=DH    Au=RSA    Enc=AESGCM(256)    Mac=AEAD
0xC0,0x27  -  ECDHE-RSA-AES128-SHA256        TLSv1.2  Kx=ECDH  Au=RSA    Enc=AES(128)      Mac=SHA256
0xC0,0x23  -  ECDHE-ECDSA-AES128-SHA256      TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AES(128)      Mac=SHA256
0xC0,0x13  -  ECDHE-RSA-AES128-SHA          SSLv3    Kx=ECDH  Au=RSA    Enc=AES(128)      Mac=SHA1
0xC0,0x09  -  ECDHE-ECDSA-AES128-SHA        SSLv3    Kx=ECDH  Au=ECDSA  Enc=AES(128)      Mac=SHA1
0xC0,0x28  -  ECDHE-RSA-AES256-SHA384        TLSv1.2  Kx=ECDH  Au=RSA    Enc=AES(256)      Mac=SHA384
0xC0,0x24  -  ECDHE-ECDSA-AES256-SHA384      TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AES(256)      Mac=SHA384
0xC0,0x14  -  ECDHE-RSA-AES256-SHA          SSLv3    Kx=ECDH  Au=RSA    Enc=AES(256)      Mac=SHA1
0xC0,0x0A  -  ECDHE-ECDSA-AES256-SHA        SSLv3    Kx=ECDH  Au=ECDSA  Enc=AES(256)      Mac=SHA1
0x00,0x67  -  DHE-RSA-AES128-SHA256          TLSv1.2  Kx=DH    Au=RSA    Enc=AES(128)      Mac=SHA256
0x00,0x33  -  DHE-RSA-AES128-SHA            SSLv3    Kx=DH    Au=RSA    Enc=AES(128)      Mac=SHA1
0x00,0x40  -  DHE-DSS-AES128-SHA256          TLSv1.2  Kx=DH    Au=DSS    Enc=AES(128)      Mac=SHA256
0x00,0x6B  -  DHE-RSA-AES256-SHA256          TLSv1.2  Kx=DH    Au=RSA    Enc=AES(256)      Mac=SHA256
0x00,0x38  -  DHE-DSS-AES256-SHA            SSLv3    Kx=DH    Au=DSS    Enc=AES(256)      Mac=SHA1
0x00,0x39  -  DHE-RSA-AES256-SHA            SSLv3    Kx=DH    Au=RSA    Enc=AES(256)      Mac=SHA1
0xC0,0x12  -  ECDHE-RSA-DES-CBC3-SHA        SSLv3    Kx=ECDH  Au=RSA    Enc=3DES(168)      Mac=SHA1
0xC0,0x08  -  ECDHE-ECDSA-DES-CBC3-SHA      SSLv3    Kx=ECDH  Au=ECDSA  Enc=3DES(168)      Mac=SHA1
0x00,0x9C  -  AES128-GCM-SHA256              TLSv1.2  Kx=RSA  Au=RSA    Enc=AESGCM(128)    Mac=AEAD
0x00,0x9D  -  AES256-GCM-SHA384              TLSv1.2  Kx=RSA  Au=RSA    Enc=AESGCM(256)    Mac=AEAD
0x00,0x3C  -  AES128-SHA256                  TLSv1.2  Kx=RSA  Au=RSA    Enc=AES(128)      Mac=SHA256
0x00,0x3D  -  AES256-SHA256                  TLSv1.2  Kx=RSA  Au=RSA    Enc=AES(256)      Mac=SHA256
0x00,0x2F  -  AES128-SHA                    SSLv3    Kx=RSA  Au=RSA    Enc=AES(128)      Mac=SHA1
0x00,0x35  -  AES256-SHA                    SSLv3    Kx=RSA  Au=RSA    Enc=AES(256)      Mac=SHA1
0x00,0x6A  -  DHE-DSS-AES256-SHA256          TLSv1.2  Kx=DH    Au=DSS    Enc=AES(256)      Mac=SHA256
0x00,0x32  -  DHE-DSS-AES128-SHA            SSLv3    Kx=DH    Au=DSS    Enc=AES(128)      Mac=SHA1
0x00,0x0A  -  DES-CBC3-SHA                  SSLv3    Kx=RSA  Au=RSA    Enc=3DES(168)      Mac=SHA1
0x00,0x88  -  DHE-RSA-CAMELLIA256-SHA        SSLv3    Kx=DH    Au=RSA    Enc=Camellia(256)  Mac=SHA1
0x00,0x87  -  DHE-DSS-CAMELLIA256-SHA        SSLv3    Kx=DH    Au=DSS    Enc=Camellia(256)  Mac=SHA1
0x00,0x84  -  CAMELLIA256-SHA                SSLv3    Kx=RSA  Au=RSA    Enc=Camellia(256)  Mac=SHA1
0x00,0x45  -  DHE-RSA-CAMELLIA128-SHA        SSLv3    Kx=DH    Au=RSA    Enc=Camellia(128)  Mac=SHA1
0x00,0x44  -  DHE-DSS-CAMELLIA128-SHA        SSLv3    Kx=DH    Au=DSS    Enc=Camellia(128)  Mac=SHA1
0x00,0x41  -  CAMELLIA128-SHA                SSLv3    Kx=RSA  Au=RSA    Enc=Camellia(128)  Mac=SHA1


0xC0,0x2F  -  ECDHE-RSA-AES128-GCM-SHA256    TLSv1.2  Kx=ECDH    Au=RSA    Enc=AESGCM(128)    Mac=AEAD
0xC0,0x2B  -  ECDHE-ECDSA-AES128-GCM-SHA256  TLSv1.2  Kx=ECDH    Au=ECDSA  Enc=AESGCM(128)    Mac=AEAD
0xC0,0x30  -  ECDHE-RSA-AES256-GCM-SHA384    TLSv1.2  Kx=ECDH    Au=RSA    Enc=AESGCM(256)    Mac=AEAD
0xC0,0x2C  -  ECDHE-ECDSA-AES256-GCM-SHA384  TLSv1.2  Kx=ECDH    Au=ECDSA  Enc=AESGCM(256)    Mac=AEAD
0x00,0x9E  -  DHE-RSA-AES128-GCM-SHA256      TLSv1.2  Kx=DH      Au=RSA    Enc=AESGCM(128)    Mac=AEAD
0x00,0xA2  -  DHE-DSS-AES128-GCM-SHA256      TLSv1.2  Kx=DH      Au=DSS    Enc=AESGCM(128)    Mac=AEAD
0x00,0xA3  -  DHE-DSS-AES256-GCM-SHA384      TLSv1.2  Kx=DH      Au=DSS    Enc=AESGCM(256)    Mac=AEAD
0x00,0x9F  -  DHE-RSA-AES256-GCM-SHA384      TLSv1.2  Kx=DH      Au=RSA    Enc=AESGCM(256)    Mac=AEAD
0xC0,0x27  -  ECDHE-RSA-AES128-SHA256        TLSv1.2  Kx=ECDH    Au=RSA    Enc=AES(128)      Mac=SHA256
0xC0,0x23  -  ECDHE-ECDSA-AES128-SHA256      TLSv1.2  Kx=ECDH    Au=ECDSA  Enc=AES(128)      Mac=SHA256
0xC0,0x13  -  ECDHE-RSA-AES128-SHA            SSLv3    Kx=ECDH    Au=RSA    Enc=AES(128)      Mac=SHA1
0xC0,0x09  -  ECDHE-ECDSA-AES128-SHA          SSLv3    Kx=ECDH    Au=ECDSA  Enc=AES(128)      Mac=SHA1
0xC0,0x28  -  ECDHE-RSA-AES256-SHA384        TLSv1.2  Kx=ECDH    Au=RSA    Enc=AES(256)      Mac=SHA384
0xC0,0x24  -  ECDHE-ECDSA-AES256-SHA384      TLSv1.2  Kx=ECDH    Au=ECDSA  Enc=AES(256)      Mac=SHA384
0xC0,0x14  -  ECDHE-RSA-AES256-SHA            SSLv3    Kx=ECDH    Au=RSA    Enc=AES(256)      Mac=SHA1
0xC0,0x0A  -  ECDHE-ECDSA-AES256-SHA          SSLv3    Kx=ECDH    Au=ECDSA  Enc=AES(256)      Mac=SHA1
0x00,0x67  -  DHE-RSA-AES128-SHA256          TLSv1.2  Kx=DH      Au=RSA    Enc=AES(128)      Mac=SHA256
0x00,0x33  -  DHE-RSA-AES128-SHA              SSLv3    Kx=DH      Au=RSA    Enc=AES(128)      Mac=SHA1
0x00,0x40  -  DHE-DSS-AES128-SHA256          TLSv1.2  Kx=DH      Au=DSS    Enc=AES(128)      Mac=SHA256
0x00,0x6B  -  DHE-RSA-AES256-SHA256          TLSv1.2  Kx=DH      Au=RSA    Enc=AES(256)      Mac=SHA256
0x00,0x38  -  DHE-DSS-AES256-SHA              SSLv3    Kx=DH      Au=DSS    Enc=AES(256)      Mac=SHA1
0x00,0x39  -  DHE-RSA-AES256-SHA              SSLv3    Kx=DH      Au=RSA    Enc=AES(256)      Mac=SHA1
0xC0,0x12  -  ECDHE-RSA-DES-CBC3-SHA          SSLv3    Kx=ECDH    Au=RSA    Enc=3DES(168)      Mac=SHA1
0xC0,0x08  -  ECDHE-ECDSA-DES-CBC3-SHA        SSLv3    Kx=ECDH    Au=ECDSA  Enc=3DES(168)      Mac=SHA1
0x00,0x16  -  EDH-RSA-DES-CBC3-SHA            SSLv3    Kx=DH      Au=RSA    Enc=3DES(168)      Mac=SHA1
0x00,0x9C  -  AES128-GCM-SHA256              TLSv1.2  Kx=RSA    Au=RSA    Enc=AESGCM(128)    Mac=AEAD
0x00,0x9D  -  AES256-GCM-SHA384              TLSv1.2  Kx=RSA    Au=RSA    Enc=AESGCM(256)    Mac=AEAD
0x00,0x3C  -  AES128-SHA256                  TLSv1.2  Kx=RSA    Au=RSA    Enc=AES(128)      Mac=SHA256
0x00,0x3D  -  AES256-SHA256                  TLSv1.2  Kx=RSA    Au=RSA    Enc=AES(256)      Mac=SHA256
0x00,0x2F  -  AES128-SHA                      SSLv3    Kx=RSA    Au=RSA    Enc=AES(128)      Mac=SHA1
0x00,0x35  -  AES256-SHA                      SSLv3    Kx=RSA    Au=RSA    Enc=AES(256)      Mac=SHA1
0xC0,0x22  -  SRP-DSS-AES-256-CBC-SHA        SSLv3    Kx=SRP    Au=DSS    Enc=AES(256)      Mac=SHA1
0xC0,0x21  -  SRP-RSA-AES-256-CBC-SHA        SSLv3    Kx=SRP    Au=RSA    Enc=AES(256)      Mac=SHA1
0xC0,0x20  -  SRP-AES-256-CBC-SHA            SSLv3    Kx=SRP    Au=SRP    Enc=AES(256)      Mac=SHA1
0x00,0xA5  -  DH-DSS-AES256-GCM-SHA384        TLSv1.2  Kx=DH/DSS  Au=DH    Enc=AESGCM(256)    Mac=AEAD
0x00,0xA1  -  DH-RSA-AES256-GCM-SHA384        TLSv1.2  Kx=DH/RSA  Au=DH    Enc=AESGCM(256)    Mac=AEAD
0x00,0x6A  -  DHE-DSS-AES256-SHA256          TLSv1.2  Kx=DH      Au=DSS    Enc=AES(256)      Mac=SHA256
0x00,0x69  -  DH-RSA-AES256-SHA256            TLSv1.2  Kx=DH/RSA  Au=DH    Enc=AES(256)      Mac=SHA256
0x00,0x68  -  DH-DSS-AES256-SHA256            TLSv1.2  Kx=DH/DSS  Au=DH    Enc=AES(256)      Mac=SHA256
0x00,0x37  -  DH-RSA-AES256-SHA              SSLv3    Kx=DH/RSA  Au=DH    Enc=AES(256)      Mac=SHA1
0x00,0x36  -  DH-DSS-AES256-SHA              SSLv3    Kx=DH/DSS  Au=DH    Enc=AES(256)      Mac=SHA1
0x00,0x95  -  RSA-PSK-AES256-CBC-SHA          SSLv3    Kx=RSAPSK  Au=RSA    Enc=AES(256)      Mac=SHA1
0xC0,0x1F  -  SRP-DSS-AES-128-CBC-SHA        SSLv3    Kx=SRP    Au=DSS    Enc=AES(128)      Mac=SHA1
0xC0,0x1E  -  SRP-RSA-AES-128-CBC-SHA        SSLv3    Kx=SRP    Au=RSA    Enc=AES(128)      Mac=SHA1
0xC0,0x1D  -  SRP-AES-128-CBC-SHA            SSLv3    Kx=SRP    Au=SRP    Enc=AES(128)      Mac=SHA1
0x00,0xA4  -  DH-DSS-AES128-GCM-SHA256        TLSv1.2  Kx=DH/DSS  Au=DH    Enc=AESGCM(128)    Mac=AEAD
0x00,0xA0  -  DH-RSA-AES128-GCM-SHA256        TLSv1.2  Kx=DH/RSA  Au=DH    Enc=AESGCM(128)    Mac=AEAD
0x00,0x3F  -  DH-RSA-AES128-SHA256            TLSv1.2  Kx=DH/RSA  Au=DH    Enc=AES(128)      Mac=SHA256
0x00,0x3E  -  DH-DSS-AES128-SHA256            TLSv1.2  Kx=DH/DSS  Au=DH    Enc=AES(128)      Mac=SHA256
0x00,0x32  -  DHE-DSS-AES128-SHA              SSLv3    Kx=DH      Au=DSS    Enc=AES(128)      Mac=SHA1
0x00,0x31  -  DH-RSA-AES128-SHA              SSLv3    Kx=DH/RSA  Au=DH    Enc=AES(128)      Mac=SHA1
0x00,0x30  -  DH-DSS-AES128-SHA              SSLv3    Kx=DH/DSS  Au=DH    Enc=AES(128)      Mac=SHA1
0x00,0x94  -  RSA-PSK-AES128-CBC-SHA          SSLv3    Kx=RSAPSK  Au=RSA    Enc=AES(128)      Mac=SHA1
0x00,0x0A  -  DES-CBC3-SHA                    SSLv3    Kx=RSA    Au=RSA    Enc=3DES(168)      Mac=SHA1
0xCC,0x14  -  ECDHE-ECDSA-CHACHA20-POLY1305  TLSv1.2  Kx=ECDH    Au=ECDSA  Enc=ChaCha20(256)  Mac=AEAD
0xCC,0x13  -  ECDHE-RSA-CHACHA20-POLY1305    TLSv1.2  Kx=ECDH    Au=RSA    Enc=ChaCha20(256)  Mac=AEAD
0xCC,0x15  -  DHE-RSA-CHACHA20-POLY1305      TLSv1.2  Kx=DH      Au=RSA    Enc=ChaCha20(256)  Mac=AEAD
0xC0,0x77  -  ECDHE-RSA-CAMELLIA256-SHA384    TLSv1.2  Kx=ECDH    Au=RSA    Enc=Camellia(256)  Mac=SHA384
0xC0,0x73  -  ECDHE-ECDSA-CAMELLIA256-SHA384  TLSv1.2  Kx=ECDH    Au=ECDSA  Enc=Camellia(256)  Mac=SHA384
0x00,0xC4  -  DHE-RSA-CAMELLIA256-SHA256      TLSv1.2  Kx=DH      Au=RSA    Enc=Camellia(256)  Mac=SHA256
0x00,0xC3  -  DHE-DSS-CAMELLIA256-SHA256      TLSv1.2  Kx=DH      Au=DSS    Enc=Camellia(256)  Mac=SHA256
0x00,0xC2  -  DH-RSA-CAMELLIA256-SHA256      TLSv1.2  Kx=DH/RSA  Au=DH    Enc=Camellia(256)  Mac=SHA256
0x00,0xC1  -  DH-DSS-CAMELLIA256-SHA256      TLSv1.2  Kx=DH/DSS  Au=DH    Enc=Camellia(256)  Mac=SHA256
0x00,0x88  -  DHE-RSA-CAMELLIA256-SHA        SSLv3    Kx=DH      Au=RSA    Enc=Camellia(256)  Mac=SHA1
0x00,0x87  -  DHE-DSS-CAMELLIA256-SHA        SSLv3    Kx=DH      Au=DSS    Enc=Camellia(256)  Mac=SHA1
0x00,0x86  -  DH-RSA-CAMELLIA256-SHA          SSLv3    Kx=DH/RSA  Au=DH    Enc=Camellia(256)  Mac=SHA1
0x00,0x85  -  DH-DSS-CAMELLIA256-SHA          SSLv3    Kx=DH/DSS  Au=DH    Enc=Camellia(256)  Mac=SHA1
0x00,0xC0  -  CAMELLIA256-SHA256              TLSv1.2  Kx=RSA    Au=RSA    Enc=Camellia(256)  Mac=SHA256
0x00,0x84  -  CAMELLIA256-SHA                SSLv3    Kx=RSA    Au=RSA    Enc=Camellia(256)  Mac=SHA1
0xC0,0x76  -  ECDHE-RSA-CAMELLIA128-SHA256    TLSv1.2  Kx=ECDH    Au=RSA    Enc=Camellia(128)  Mac=SHA256
0xC0,0x72  -  ECDHE-ECDSA-CAMELLIA128-SHA256  TLSv1.2  Kx=ECDH    Au=ECDSA  Enc=Camellia(128)  Mac=SHA256
0x00,0xBE  -  DHE-RSA-CAMELLIA128-SHA256      TLSv1.2  Kx=DH      Au=RSA    Enc=Camellia(128)  Mac=SHA256
0x00,0xBD  -  DHE-DSS-CAMELLIA128-SHA256      TLSv1.2  Kx=DH      Au=DSS    Enc=Camellia(128)  Mac=SHA256
0x00,0xBC  -  DH-RSA-CAMELLIA128-SHA256      TLSv1.2  Kx=DH/RSA  Au=DH    Enc=Camellia(128)  Mac=SHA256
0x00,0xBB  -  DH-DSS-CAMELLIA128-SHA256      TLSv1.2  Kx=DH/DSS  Au=DH    Enc=Camellia(128)  Mac=SHA256
0x00,0x45  -  DHE-RSA-CAMELLIA128-SHA        SSLv3    Kx=DH      Au=RSA    Enc=Camellia(128)  Mac=SHA1
0x00,0x44  -  DHE-DSS-CAMELLIA128-SHA        SSLv3    Kx=DH      Au=DSS    Enc=Camellia(128)  Mac=SHA1
0x00,0x43  -  DH-RSA-CAMELLIA128-SHA          SSLv3    Kx=DH/RSA  Au=DH    Enc=Camellia(128)  Mac=SHA1
0x00,0x42  -  DH-DSS-CAMELLIA128-SHA          SSLv3    Kx=DH/DSS  Au=DH    Enc=Camellia(128)  Mac=SHA1
0x00,0xBA  -  CAMELLIA128-SHA256              TLSv1.2  Kx=RSA    Au=RSA    Enc=Camellia(128)  Mac=SHA256
0x00,0x41  -  CAMELLIA128-SHA                SSLv3    Kx=RSA    Au=RSA    Enc=Camellia(128)  Mac=SHA1
0xC0,0x1C  -  SRP-DSS-3DES-EDE-CBC-SHA        SSLv3    Kx=SRP    Au=DSS    Enc=3DES(168)      Mac=SHA1
0xC0,0x1B  -  SRP-RSA-3DES-EDE-CBC-SHA        SSLv3    Kx=SRP    Au=RSA    Enc=3DES(168)      Mac=SHA1
0xC0,0x1A  -  SRP-3DES-EDE-CBC-SHA            SSLv3    Kx=SRP    Au=SRP    Enc=3DES(168)      Mac=SHA1
0x00,0x10  -  DH-RSA-DES-CBC3-SHA            SSLv3    Kx=DH/RSA  Au=DH    Enc=3DES(168)      Mac=SHA1
0x00,0x0D  -  DH-DSS-DES-CBC3-SHA            SSLv3    Kx=DH/DSS  Au=DH    Enc=3DES(168)      Mac=SHA1
0x00,0x93  -  RSA-PSK-3DES-EDE-CBC-SHA        SSLv3    Kx=RSAPSK  Au=RSA    Enc=3DES(168)      Mac=SHA1
</source>
</source>


Line 122: Line 170:
# SHA256 signature is preferred to SHA-1 in ciphers and certificates. MD5 is disallowed entirely.
# SHA256 signature is preferred to SHA-1 in ciphers and certificates. MD5 is disallowed entirely.
# AES 128 is preferred to AES 256. There has been [http://www.mail-archive.com/dev-tech-crypto@lists.mozilla.org/msg11247.html discussions] on whether AES256 extra security was worth the cost, and the result is far from obvious. At the moment, AES128 is preferred, because it provides good security, is really fast, and seems to be more resistant to timing attacks.
# AES 128 is preferred to AES 256. There has been [http://www.mail-archive.com/dev-tech-crypto@lists.mozilla.org/msg11247.html discussions] on whether AES256 extra security was worth the cost, and the result is far from obvious. At the moment, AES128 is preferred, because it provides good security, is really fast, and seems to be more resistant to timing attacks.
# In the backward compatible ciphersuite, AES is preferred to 3DES. [[#Attacks_on_TLS|BEAST]] attacks on AES are mitigated in TLS 1.1 and above, and difficult to achieve in TLS 1.0. In the non-backward compatible ciphersuite, 3DES is not present.
# In the backward compatible ciphersuite, AES is preferred to 3DES. [[#Attacks_on_TLS|BEAST]] attacks on AES are mitigated in TLS 1.1 and above, and difficult to achieve in TLS 1.0. In the modern configuration, 3DES is not present.
# RC4 is removed entirely. 3DES is used for backward compatibility. See discussion in [[#RC4_weaknesses]]
# RC4 is removed entirely. 3DES is used for backward compatibility. See discussion in [[#RC4_weaknesses]]


Line 267: Line 315:
[https://tools.ietf.org/html/rfc6797 HSTS] is a HTTP header sent by a server to a client, indicating that the current site must only be accessed over HTTPS until expiration of the HSTS value is reached.
[https://tools.ietf.org/html/rfc6797 HSTS] is a HTTP header sent by a server to a client, indicating that the current site must only be accessed over HTTPS until expiration of the HSTS value is reached.


The header format is very simple, composed only of a '''max-age''' parameter that indicates when the directive should expire. max-age is expressed in seconds. A typical value is 15724800 seconds, or 6 months.
The header format is very simple, composed only of a '''max-age''' parameter that indicates when the directive should expire. max-age is expressed in seconds. A typical value is 15768000 seconds, or 6 months.
<pre>
<pre>
Strict-Transport-Security: max-age=15724800
Strict-Transport-Security: max-age=15768000
</pre>
</pre>


Line 291: Line 339:


Nginx provides OCSP Stapling, custom DH parameters, and the full flavor of TLS versions (from OpenSSL).
Nginx provides OCSP Stapling, custom DH parameters, and the full flavor of TLS versions (from OpenSSL).
The detail of each configuration parameter, and how to build a recent Nginx with OpenSSL, is [[#Nginx_configuration_details|at the end of this document]].


<pre>
<pre>
Line 983: Line 1,029:
In a public discussion ([https://bugzilla.mozilla.org/show_bug.cgi?id=927045 bug 927045]), it has been recommended to replace RC4 with 3DES. This would impact Internet Explorer 7 and 8 users that, depending on the OS, do not support AES, and will negotiate only RC4 or 3DES ciphers. Internet Explorer uses the cryptographic library “schannel”, which is OS dependent. schannel supports AES in Windows Vista, but not in Windows XP.
In a public discussion ([https://bugzilla.mozilla.org/show_bug.cgi?id=927045 bug 927045]), it has been recommended to replace RC4 with 3DES. This would impact Internet Explorer 7 and 8 users that, depending on the OS, do not support AES, and will negotiate only RC4 or 3DES ciphers. Internet Explorer uses the cryptographic library “schannel”, which is OS dependent. schannel supports AES in Windows Vista, but not in Windows XP.
   
   
While 3DES provides more resistant cryptography, it is also 30 times slower and more cpu intensive than RC4. For large web infrastructure, the CPU cost of replacing 3DES with RC4 is non-zero. For this reason, we recommend that administrators evaluate their traffic patterns, and make the decision of replacing RC4 with 3DES on a per-case basis. At Mozilla, we evaluated that the impact on CPU usage is minor, and thus decided to replace RC4 with 3DES where backward compatibility is required.
While 3DES provides more resistant cryptography, it is also 30 times slower and more cpu intensive than RC4. For large web infrastructure, the CPU cost of replacing RC4 with 3DES is non-zero. For this reason, we recommend that administrators evaluate their traffic patterns, and make the decision of replacing RC4 with 3DES on a per-case basis. At Mozilla, we evaluated that the impact on CPU usage is minor, and thus decided to replace RC4 with 3DES where backward compatibility is required.


=== CRIME (CVE-2012-4929) ===
=== CRIME (CVE-2012-4929) ===
Line 3,338: Line 3,384:
! Editor
! Editor
! Changes
! Changes
|-
| style="text-align: center;" | 3.9
| style="text-align: center;" | ulfr
| add EDH-RSA-DES-CBC3-SHA back to the old and intermediate conf
|-
|-
| style="text-align: center;" | 3.8
| style="text-align: center;" | 3.8
Ulfr
Confirmed users
529

edits

Retrieved from "https://wiki.allizom.org/Special:MobileDiff/1111459"