Changes

Security/Server Side TLS

444 bytes added, 17:03, 23 December 2016

Add X25519, TLSv1.3 and Cipher Suite modification

For services that don't need backward compatibility, the parameters below provide a higher level of security. This configuration is compatible with Firefox 27, Chrome 30, IE 11 on Windows 7, Edge, Opera 17, Safari 9, Android 5.0, and Java 8.

* Ciphersuites: '''ECDHE-ECDSA-~~AES256~~CHACHA20-~~GCM-SHA384~~POLY1305:ECDHE-RSA-~~AES256~~CHACHA20-~~GCM-SHA384~~POLY1305:ECDHE-ECDSA-~~CHACHA20~~AES256-GCM-~~POLY1305~~SHA384:ECDHE-RSA-~~CHACHA20~~AES256-GCM-~~POLY1305~~SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'''* Versions: '''TLSv1.3 (working in progress), TLSv1.2'''* ~~TLS~~ ECDH curves: '''X25519 (with OpenSSL 1.1.0+), prime256v1, secp521r1, secp384r1~~, secp521r1~~'''* Certificate type: '''ECDSA(recommended) or RSA'''* Certificate (ECDSA) curve: '''prime256v1, secp384r1, secp521r1'''

* Certificate signature: '''sha256WithRSAEncryption, ecdsa-with-SHA256, ecdsa-with-SHA384, ecdsa-with-SHA512'''

* RSA key size: '''2048''' (if not ~~ecdsa~~ECDSA)* DH Parameter size: '''~~None~~N/A''' (disabled entirely)* ECDH Parameter size: '''256'''

* HSTS: '''max-age=15768000'''

* Certificate switching: '''None'''

~~0xC0~~ 0xCC,~~0x2C~~ 0xA9 - ECDHE-ECDSA-~~AES256~~CHACHA20-~~GCM-SHA384~~ POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=~~AESGCM~~CHACHA20/POLY1305(256) Mac=AEAD~~0xC0~~ 0xCC,~~0x30~~ 0xA8 - ECDHE-RSA-~~AES256~~CHACHA20-~~GCM-SHA384~~ POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=~~AESGCM~~CHACHA20/POLY1305(256) Mac=AEAD~~0xCC~~ 0xC0,~~0x14~~ 0x2C - ECDHE-ECDSA-~~CHACHA20~~AES256-GCM-~~POLY1305~~ SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=~~ChaCha20~~AESGCM(256) Mac=AEAD~~0xCC~~ 0xC0,~~0x13~~ 0x30 - ECDHE-RSA-~~CHACHA20~~AES256-GCM-~~POLY1305~~ SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=~~ChaCha20~~AESGCM(256) Mac=AEAD 0xC0,0x2B - ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD 0xC0,0x2F - ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD 0xC0,0x24 - ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384 0xC0,0x28 - ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384 0xC0,0x23 - ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256 0xC0,0x27 - ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256

</source>

Rationale:

* ~~AES256-GCM~~ ChaCha20 > AES_256_GCM > AES_128_GCM > AES_256_CBC > AES_128_CBC because AES_GCM is ~~prioritized above its 128 bits variant~~fragile ([https://eprint.iacr.org/2013/157.pdf 1]) and hard to implement safely. Also, ~~and~~ ChaCha20 ~~because we assume that most modern devices support AESNI instructions and thus benefit from fast and constant time AES~~is not necessarily slower than AES_256_GCM while providing 256 bits of security. * We recommend ECDSA certificates with NIST-P256 as other curves may not be supported everywhere. RSA signatures on ECDSA certificates are permitted because very few CAs sign with ECDSA at the moment.

* DHE is removed entirely because it is slow in comparison with ECDHE, and all modern clients support elliptic curve key exchanges.

* HMAC-SHA1 ~~signature algorithm~~ is removed in favor of HMAC-SHA384 for AES256 and HMAC-SHA256 for AES128.

== <span style="color:orange;">'''Intermediate'''</span> compatibility (default) ==

For services that don't need compatibility with legacy clients (mostly WinXP), but still need to support a wide range of clients, this configuration is recommended. It is is compatible with Firefox 1, Chrome 1, IE 7, Opera 5 and Safari 1.

* Ciphersuites: '''ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-~~SHA256~~SHA:ECDHE-RSA-AES128-~~SHA256~~SHA:ECDHE-ECDSA-~~AES128~~AES256-SHA:ECDHE-RSA-AES256-~~SHA384~~SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-~~SHA~~SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-~~ECDSA~~RSA-AES256-~~SHA~~SHA384:~~ECDHE~~DHE-RSA-~~AES256~~AES128-SHA:DHE-RSA-~~AES128~~AES256-~~SHA256~~SHA:DHE-RSA-AES128-~~SHA~~SHA256:DHE-RSA-AES256-SHA256:~~DHE~~AES128-GCM-SHA256:AES256-GCM-~~RSA~~SHA384:AES128-SHA:AES256-SHA:AES128-SHA256:AES256-SHA256:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3~~-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256~~-SHA:DES-CBC3-SHA~~:!DSS~~'''* Versions: '''TLSv1.3 (working in progress), TLSv1.2, TLSv1.1, TLSv1'''* ~~TLS~~ ECDH curves: '''X25519 (with OpenSSL 1.1.0+), prime256v1, secp521r1, secp384r1~~, secp521r1~~'''* Certificate type: '''RSA and ECDSA in parallel if available, otherwise just RSA'''* Certificate (ECDSA) curve: '''~~'None~~prime256v1, secp384r1, secp521r1'''* Certificate signature: '''sha256WithRSAEncryptionfor RSA, and ecdsa-with-SHA256, ecdsa-with-SHA384, ecdsa-with-SHA512 for ECDSA'''

* RSA key size: '''2048'''

* DH Parameter size: '''2048'''

* ECDH Parameter size: '''256'''

* HSTS: '''max-age=15768000'''

* Certificate switching: '''None'''

0xCC,~~0x14~~ 0xA9 - ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=~~ChaCha20~~CHACHA20/POLY1305(256) Mac=AEAD 0xCC,~~0x13~~ 0xA8 - ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=~~ChaCha20~~CHACHA20/POLY1305(256) Mac=AEAD 0xC0,0x2B - ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD 0xC0,0x2F - ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD 0xC0,0x2C - ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD 0xC0,0x30 - ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD 0x00,0x9E - DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD 0x00,0x9F - DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD 0xC0,~~0x23~~ 0x09 - ECDHE-ECDSA-AES128-~~SHA256 TLSv1.2~~ SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=~~SHA256~~SHA1 0xC0,~~0x27~~ 0x13 - ECDHE-RSA-AES128-~~SHA256 TLSv1.2~~ SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(128) Mac=~~SHA256~~SHA1 0xC0,~~0x09~~ 0x0A - ECDHE-ECDSA-~~AES128~~AES256-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(~~128~~256) Mac=SHA1 0xC0,~~0x28~~ 0x14 - ECDHE-RSA-AES256-~~SHA384 TLSv1.2~~ SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(256) Mac=~~SHA384~~SHA1 0xC0,~~0x13~~ 0x23 - ECDHE-~~RSA~~ECDSA-AES128-~~SHA SSLv3~~ SHA256 TLSv1.2 Kx=ECDH Au=~~RSA~~ ECDSA Enc=AES(128) Mac=~~SHA1~~SHA256 0xC0,~~0x24~~ 0x27 - ECDHE-~~ECDSA~~RSA-~~AES256~~AES128-~~SHA384~~ SHA256 TLSv1.2 Kx=ECDH Au=~~ECDSA~~ RSA Enc=AES(~~256~~128) Mac=~~SHA384~~SHA256 0xC0,~~0x0A~~ 0x24 - ECDHE-ECDSA-AES256-~~SHA SSLv3~~ SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=~~SHA1~~SHA384 0xC0,~~0x14~~ 0x28 - ECDHE-RSA-AES256-~~SHA SSLv3~~ SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=~~SHA1~~SHA384 0x00,~~0x67~~ 0x33 - DHE-RSA-AES128-~~SHA256 TLSv1.2~~ SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=~~SHA256~~SHA1 0x00,~~0x33~~ 0x39 - DHE-RSA-~~AES128~~AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(~~128~~256) Mac=SHA1 0x00,~~0x6B~~ 0x67 - DHE-RSA-~~AES256~~AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(~~256~~128) Mac=SHA256 0x00,~~0x39~~ 0x6B - DHE-RSA-AES256-~~SHA SSLv3~~ SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=~~SHA1~~SHA256~~0xC0~~ 0x00,~~0x08~~ 0x9C - ~~ECDHE~~AES128-~~ECDSA~~GCM-~~DES-CBC3-SHA~~ SHA256 ~~SSLv3~~ TLSv1.2 Kx=~~ECDH~~ RSA Au=~~ECDSA~~ RSA Enc=~~3DES~~AESGCM(~~168~~128) Mac=~~SHA1~~AEAD~~0xC0~~ 0x00,~~0x12~~ 0x9D - ~~ECDHE~~AES256-~~RSA~~GCM-~~DES-CBC3-SHA SSLv3~~ SHA384 TLSv1.2 Kx~~=ECDH Au~~=RSA ~~Enc=3DES(168)~~ ~~Mac=SHA10x00,0x16 - EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH~~ Au=RSA Enc=~~3DES~~AESGCM(~~168~~256) Mac=~~SHA1~~AEAD 0x00,~~0x9C~~ 0x2F - AES128-~~GCM-SHA256~~ SHA ~~TLSv1.2~~ SSLv3 Kx=RSA Au=RSA Enc=~~AESGCM~~AES(128) Mac=~~AEAD~~SHA1 0x00,~~0x9D~~ 0x35 - AES256-~~GCM-SHA384~~ SHA ~~TLSv1.2~~ SSLv3 Kx=RSA Au=RSA Enc=~~AESGCM~~AES(256) Mac=~~AEAD~~SHA1 0x00,0x3C - AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256 0x00,0x3D - AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA256~~0x00~~ 0xC0,~~0x2F~~ 0x08 - ECDHE-ECDSA-DES- ~~AES128~~CBC3-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=3DES(168) Mac=SHA1 0xC0,0x12 - ECDHE-RSA -DES-CBC3-SHA SSLv3 Kx=ECDH Au=RSA Enc=~~AES~~3DES(~~128~~168) Mac=SHA1 0x00,~~0x35~~ 0x16 - DHE-RSA-DES- ~~AES256~~CBC3-SHA SSLv3 Kx=~~RSA~~ DH Au=RSA Enc=~~AES~~3DES(~~256~~168) Mac=SHA1 0x00,0x0A - DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1

</source>

Rationale:

* ChaCha20 is ~~prefered~~ preferred as the fastest and safest in-software cipher, followed by AES128~~. Unlike the modern configuration, we do not assume clients support AESNI and thus do not prioritize AES256 above 128 and ChaCha20~~. There has been discussions ([http://www.mail-archive.com/dev-tech-crypto@lists.mozilla.org/msg11247.html 1], [http://www.mail-archive.com/dev-tech-crypto@lists.mozilla.org/msg12398.html 2]) on whether AES256 extra security was worth its computing cost in software (without AESNI), and the results are far from obvious. At the moment, AES128 is preferred, because it provides good security, is really fast, and seems to be more resistant to timing attacks.* ~~DES~~3DES ciphers are put at the very last due to the SWEET32 attack ([https://sweet32.info 1])* HMAC-~~CBC3~~SHA1 is preferred over HMAC-~~SHA and EDH~~SHA256/SHA384 because the latter does not really provide more security than the former ([https://crypto.stackexchange.com/questions/26510/why-is-hmac-sha1-still-~~RSA~~considered-~~DES~~secure 1]), and HMAC-~~CBC3~~SHA1 is almost twice as fast than HMAC-~~SHA are maintained for backward compatibility with~~ SHA256/SHA384. Also, AES_CBC is flawed, modern clients ~~that do not support AES~~will use AES_GCM anyways.

* While the goal is to support a broad range of clients, we reasonably disable a number of ciphers that have little support (such as SEED, CAMELLIA, ...).

This is the old ciphersuite that works with all clients back to Windows XP/IE6. It should be used as a last resort only.

* Ciphersuites: '''ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-~~RSA~~ECDSA-AES128-GCM-SHA256:ECDHE-~~ECDSA~~RSA-AES128-GCM-SHA256:ECDHE-~~RSA~~ECDSA-AES256-GCM-SHA384:ECDHE-~~ECDSA~~RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-~~DSS~~RSA-~~AES128~~AES256-GCM-~~SHA256~~SHA384:~~kEDH+AESGCM~~ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-~~SHA256~~SHA:ECDHE-ECDSA-~~AES128~~AES256-~~SHA256~~SHA:ECDHE-RSA-~~AES128~~AES256-SHA:ECDHE-ECDSA-AES128-~~SHA~~SHA256:ECDHE-RSA-~~AES256~~AES128-~~SHA384~~SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-~~SHA:ECDHE-ECDSA-AES256-SHA~~SHA384:DHE-RSA-AES128-~~SHA256~~SHA:DHE-RSA-~~AES128~~AES256-SHA:DHE-~~DSS~~RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:~~DHE~~AES128-~~DSS~~GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:~~DHE~~AES256-~~RSA~~SHA:AES128-SHA256:AES256-~~SHA~~SHA256:AES+DSS:CAMELLIA:SEED:ECDHE-~~RSA~~ECDSA-DES-CBC3-SHA:ECDHE-~~ECDSA~~RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA~~:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES~~:DES-CBC3-SHA:~~HIGH~~3DES:~~SEED~~IDEA:+DSS:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!~~aDH~~SRP:!~~aECDH~~KRB5:!~~EDH-DSS-DES-CBC3-SHA~~kDH:!~~KRB5-DES-CBC3-SHA:!SRP~~kECDH'''* Versions: '''TLSv1.3 (working in progress), TLSv1.2, TLSv1.1, TLSv1, SSLv3'''* TLS curves: '''X25519 (with OpenSSL 1.1.0+), prime256v1, secp384r1, secp521r1'''

* Certificate type: '''RSA'''

* Certificate curve: ''''None'''

* RSA key size: '''2048'''

* DH Parameter size: '''1024'''

* ECDH Parameter size: '''256'''

* HSTS: '''max-age=15768000'''

* Certificate switching: '''sha1WithRSAEncryption'''

0xCC,~~0x14~~ 0xA9 - ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=~~ChaCha20~~CHACHA20/POLY1305(256) Mac=AEAD 0xCC,~~0x13~~ 0xA8 - ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=~~ChaCha20~~CHACHA20/POLY1305(256) Mac=AEAD 0xC0,~~0x2F~~ 0x2B - ECDHE-~~RSA~~ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=~~RSA~~ ECDSA Enc=AESGCM(128) Mac=AEAD 0xC0,~~0x2B~~ 0x2F - ECDHE-~~ECDSA~~RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=~~ECDSA~~ RSA Enc=AESGCM(128) Mac=AEAD 0xC0,~~0x30~~ 0x2C - ECDHE-~~RSA~~ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=~~RSA~~ ECDSA Enc=AESGCM(256) Mac=AEAD 0xC0,~~0x2C~~ 0x30 - ECDHE-~~ECDSA~~RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=~~ECDSA~~ RSA Enc=AESGCM(256) Mac=AEAD 0x00,0x9E - DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD 0x00,~~0xA2~~ 0x9F - DHE-~~DSS~~RSA-~~AES128~~AES256-GCM-~~SHA256~~ SHA384 TLSv1.2 Kx=DH Au=~~DSS~~ RSA Enc=AESGCM(~~128~~256) Mac=AEAD~~0x00~~ 0xC0,~~0xA3~~ 0x09 - ~~DHE~~ECDHE-~~DSS~~ECDSA-~~AES256~~AES128-~~GCM-SHA384 TLSv1.2~~ SHA SSLv3 Kx=DH ECDH Au=~~DSS~~ ECDSA Enc=~~AESGCM~~AES(~~256~~128) Mac=~~AEAD~~SHA1~~0x00~~ 0xC0,~~0x9F~~ 0x13 - ~~DHE~~ECDHE-RSA-~~AES256~~AES128-~~GCM-SHA384 TLSv1.2~~ SHA SSLv3 Kx=DH ECDH Au=RSA Enc=~~AESGCM~~AES(~~256~~128) Mac=~~AEAD~~SHA1 0xC0,~~0x27~~ 0x0A - ECDHE-~~RSA~~ECDSA-~~AES128~~AES256-~~SHA256 TLSv1.2~~ SHA SSLv3 Kx=ECDH Au=~~RSA~~ ECDSA Enc=AES(~~128~~256) Mac=~~SHA256~~SHA1 0xC0,~~0x23~~ 0x14 - ECDHE-~~ECDSA~~RSA-~~AES128~~AES256-~~SHA256 TLSv1.2 Kx~~SHA SSLv3 Kx=ECDH Au=~~ECDSA~~ RSA Enc=AES(~~128~~256) Mac=~~SHA256~~SHA1 0xC0,~~0x13~~ 0x23 - ECDHE-~~RSA~~ECDSA-AES128-~~SHA SSLv3~~ SHA256 TLSv1.2 Kx=ECDH Au=~~RSA~~ ECDSA Enc=AES(128) Mac=~~SHA1~~SHA256 0xC0,~~0x09~~ 0x27 - ECDHE-~~ECDSA~~RSA-AES128-~~SHA SSLv3~~ SHA256 TLSv1.2 Kx=ECDH Au=~~ECDSA~~ RSA Enc=AES(128) Mac=~~SHA1~~SHA256 0xC0,~~0x28~~ 0x24 - ECDHE-~~RSA~~ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=~~RSA~~ ECDSA Enc=AES(256) Mac=SHA384 0xC0,~~0x24~~ 0x28 - ECDHE-~~ECDSA~~RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=~~ECDSA~~ RSA Enc=AES(256) Mac=SHA384~~0xC0~~ 0x00,~~0x14~~ 0x33 - ~~ECDHE~~DHE-RSA-~~AES256~~AES128-SHA SSLv3 Kx=~~ECDH~~ DH Au=RSA Enc=AES(~~256~~128) Mac=SHA1~~0xC0~~ 0x00,~~0x0A~~ 0x39 - ~~ECDHE~~DHE-~~ECDSA~~RSA-AES256-SHA SSLv3 Kx=~~ECDH~~ DH Au=~~ECDSA~~ RSA Enc=AES(256) Mac=SHA1 0x00,0x67 - DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256 0x00,~~0x33~~ 0x6B - DHE-RSA-~~AES128~~AES256-~~SHA SSLv3~~ SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(~~128~~256) Mac=~~SHA1~~SHA256 0x00,~~0x40~~ 0x9C - ~~DHE~~AES128-~~DSS-AES128~~GCM-SHA256 TLSv1.2 Kx=DH RSA Au=~~DSS~~ RSA Enc=~~AES~~AESGCM(128) Mac=~~SHA256~~AEAD 0x00,~~0x6B~~ 0x9D - ~~DHE~~AES256-~~RSA~~GCM-~~AES256-SHA256~~ SHA384 TLSv1.2 Kx=DH RSA Au=RSA Enc=~~AES~~AESGCM(256) Mac=~~SHA256~~AEAD 0x00,~~0x38~~ 0x2F - ~~DHE-DSS-AES256~~AES128-SHA SSLv3 Kx=DH RSA Au=~~DSS~~ RSA Enc=AES(~~256~~128) Mac=SHA1 0x00,~~0x39 - DHE-RSA~~0x35 -AES256-SHA SSLv3 Kx=DH RSA Au=RSA Enc=AES(256) Mac=SHA1~~0xC0~~ 0x00,~~0x12~~ 0x3C - ~~ECDHE~~AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA~~-DES-CBC3-SHA SSLv3 Kx=ECDH~~ ~~Au=RSA~~ Enc=~~3DES~~AES(~~168~~128) Mac=~~SHA1~~SHA256~~0xC0~~ 0x00,~~0x08~~ 0x3D - ~~ECDHE~~AES256-~~ECDSA-DES-CBC3-SHA SSLv3~~ SHA256 TLSv1.2 Kx=~~ECDH~~ RSA Au=~~ECDSA~~ RSA Enc=~~3DES~~AES(~~168~~256) Mac=~~SHA1~~SHA256~~0x00~~ 0xC0,~~0x16~~ 0x73 - ~~EDH~~ECDHE-~~RSA~~ECDSA-~~DES~~CAMELLIA256-~~CBC3-SHA SSLv3~~ SHA384 TLSv1.2 Kx=DH ECDH Au=~~RSA~~ ECDSA Enc=~~3DES~~Camellia(~~168~~256) Mac=~~SHA1~~SHA384~~0x00~~ 0xC0,~~0x9C~~ 0x77 - ECDHE- ~~AES128~~RSA-~~GCM~~CAMELLIA256-~~SHA256~~ SHA384 TLSv1.2 Kx=~~RSA~~ ECDH Au=RSA Enc=~~AESGCM~~Camellia(~~128~~256) Mac=~~AEAD~~SHA384 0x00,~~0x9D~~ 0xC4 - DHE- ~~AES256~~RSA-~~GCM~~CAMELLIA256-~~SHA384~~ SHA256 TLSv1.2 Kx=~~RSA~~ DH Au=RSA Enc=~~AESGCM~~Camellia(256) Mac=~~AEAD~~SHA256~~0x00~~ 0xC0,~~0x3C~~ 0x72 - ECDHE-ECDSA- ~~AES128~~CAMELLIA128-SHA256 TLSv1.2 Kx=~~RSA~~ ECDH Au=~~RSA~~ ECDSA Enc=~~AES~~Camellia(128) Mac=SHA256~~0x00~~ 0xC0,~~0x3D~~ 0x76 - ECDHE-RSA- ~~AES256~~CAMELLIA128-SHA256 TLSv1.2 Kx=~~RSA~~ ECDH Au=RSA Enc=~~AES~~Camellia(~~256~~128) Mac=SHA256 0x00,~~0x2F~~ 0xBE - ~~AES128~~DHE-RSA-CAMELLIA128-~~SHA SSLv3~~ SHA256 TLSv1.2 Kx=~~RSA~~ DH Au=RSA Enc=~~AES~~Camellia(128) Mac=~~SHA1~~SHA256 0x00,~~0x35~~ 0x88 - ~~AES256~~DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=~~RSA~~ DH Au=RSA Enc=~~AES~~Camellia(256) Mac=SHA1 0x00,~~0x6A~~ 0x45 - DHE-~~DSS~~RSA-~~AES256~~CAMELLIA128-~~SHA256 TLSv1.2~~ SHA SSLv3 Kx=DH Au=~~DSS~~ RSA Enc=~~AES~~Camellia(~~256~~128) Mac=~~SHA256~~SHA1 0x00,~~0x32~~ 0xC0 - ~~DHE~~CAMELLIA256-~~DSS-AES128-SHA SSLv3~~ SHA256 TLSv1.2 Kx=DH RSA Au=~~DSS~~ RSA Enc=~~AES~~Camellia(~~128~~256) Mac=~~SHA1~~SHA256 0x00,~~0x0A~~ 0xBA - ~~DES~~CAMELLIA128-~~CBC3-SHA SSLv3~~ SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=~~3DES~~Camellia(~~168~~128) Mac=~~SHA1~~SHA256 0x00,~~0x9A~~ 0x84 - ~~DHE-RSA-SEED~~CAMELLIA256-SHA SSLv3 Kx=DH RSA Au=RSA Enc=~~SEED~~Camellia(~~128~~256) Mac=SHA1 0x00,~~0x99~~ 0x41 - ~~DHE~~CAMELLIA128-~~DSS-SEED-SHA~~ SHA SSLv3 Kx=DH RSA Au=~~DSS~~ RSA Enc=~~SEED~~Camellia(128) Mac=SHA1~~0xCC~~ 0x00,~~0x15~~ 0x9A - DHE-RSA-~~CHACHA20~~SEED-~~POLY1305 TLSv1.2~~ SHA SSLv3 Kx=DH Au=RSA Enc=~~ChaCha20~~SEED(~~256~~128) Mac=~~AEAD~~SHA1~~0xC0~~ 0x00,~~0x77~~ 0x96 - ~~ECDHE~~SEED-SHA SSLv3 Kx=RSA~~-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH~~ Au=RSA Enc=~~Camellia~~SEED(~~256~~128) Mac=~~SHA384~~SHA1 0xC0,~~0x73~~ 0x08 - ECDHE-ECDSA-~~CAMELLIA256~~DES-CBC3-~~SHA384 TLSv1.2~~ SHA SSLv3 Kx=ECDH Au=ECDSA Enc=~~Camellia~~3DES(~~256~~168) Mac=~~SHA384~~SHA1~~0x00~~ 0xC0,~~0xC4~~ 0x12 - ~~DHE~~ECDHE-RSA-~~CAMELLIA256~~DES-CBC3-~~SHA256 TLSv1.2~~ SHA SSLv3 Kx=DH ECDH Au=RSA Enc=~~Camellia~~3DES(~~256~~168) Mac=~~SHA256~~SHA1 0x00,~~0xC3~~ 0x16 - DHE-~~DSS~~RSA-DES-~~CAMELLIA256~~CBC3-~~SHA256 TLSv1.2~~ SHA SSLv3 Kx=DH Au=~~DSS~~ RSA Enc=~~Camellia~~3DES(~~256~~168) Mac=~~SHA256~~SHA1 0x00,~~0x88~~ 0x0A - ~~DHE~~DES-~~RSA-CAMELLIA256~~CBC3-SHA SSLv3 Kx=DH RSA Au=RSA Enc=~~Camellia~~3DES(~~256~~168) Mac=SHA1 0x00,~~0x87~~ 0x07 - IDEA- ~~DHE-DSS-CAMELLIA256~~CBC-SHA SSLv3 Kx=DH RSA Au=~~DSS~~ RSA Enc=~~Camellia~~IDEA(~~256~~128) Mac=SHA1 0x00,~~0xC0~~ 0xA3 - ~~CAMELLIA256~~DHE-~~SHA256~~ DSS-AES256-GCM-SHA384 TLSv1.2 Kx=~~RSA~~ DH Au=~~RSA~~ DSS Enc=~~Camellia~~AESGCM(256) Mac=~~SHA256~~AEAD 0x00,~~0x84~~ 0xA2 - ~~CAMELLIA256~~DHE-~~SHA SSLv3~~ DSS-AES128-GCM-SHA256 TLSv1.2 Kx=~~RSA~~ DH Au=~~RSA~~ DSS Enc=~~Camellia~~AESGCM(~~256~~128) Mac=~~SHA1~~AEAD~~0xC0~~ 0x00,~~0x76~~ 0x6A - ~~ECDHE~~DHE-~~RSA~~DSS-~~CAMELLIA128~~AES256-SHA256 TLSv1.2 Kx=~~ECDH~~ DH Au=~~RSA~~ DSS Enc=~~Camellia~~AES(~~128~~256) Mac=SHA256~~0xC0~~ 0x00,~~0x72~~ 0x40 - ~~ECDHE~~DHE-~~ECDSA~~DSS-~~CAMELLIA128~~AES128-SHA256 TLSv1.2 Kx=~~ECDH~~ DH Au=~~ECDSA~~ DSS Enc=~~Camellia~~AES(128) Mac=SHA256 0x00,~~0xBE~~ 0x38 - DHE-~~RSA~~DSS-~~CAMELLIA128~~AES256-~~SHA256~~ SHA ~~TLSv1.2~~ SSLv3 Kx=DH Au=~~RSA~~ DSS Enc=~~Camellia~~AES(~~128~~256) Mac=~~SHA256~~SHA1 0x00,~~0xBD~~ 0x32 - DHE-DSS-~~CAMELLIA128~~AES128-~~SHA256~~ SHA ~~TLSv1.2~~ SSLv3 Kx=DH Au=DSS Enc=~~Camellia~~AES(128) Mac=~~SHA256~~SHA1 0x00,~~0x45~~ 0xC3 - DHE-~~RSA~~DSS-~~CAMELLIA128~~CAMELLIA256-~~SHA SSLv3~~ SHA256 TLSv1.2 Kx=DH Au=~~RSA~~ DSS Enc=Camellia(~~128~~256) Mac=~~SHA1~~SHA256 0x00,~~0x44~~ 0xBD - DHE-DSS-CAMELLIA128-~~SHA SSLv3~~ SHA256 TLSv1.2 Kx=DH Au=DSS Enc=Camellia(128) Mac=~~SHA1~~SHA256 0x00,~~0xBA~~ 0x87 - DHE-DSS- ~~CAMELLIA128~~CAMELLIA256-~~SHA256 TLSv1.2~~ SHA SSLv3 Kx=~~RSA~~ DH Au=~~RSA~~ DSS Enc=Camellia(~~128~~256) Mac=~~SHA256~~SHA1 0x00,~~0x41~~ 0x44 - DHE-DSS- CAMELLIA128-SHA SSLv3 Kx=~~RSA~~ DH Au=~~RSA~~ DSS Enc=Camellia(128) Mac=SHA1 0x00,~~0x96~~ 0x99 - DHE-DSS- SEED-SHA SSLv3 Kx=~~RSA~~ DH Au=~~RSA~~ DSS Enc=SEED(128) Mac=SHA1 0x00,0x13 - DHE-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1

</source>

Rationale:

* You should take a hard look at your infrastructure needs before using this configuration; it is intended for special use cases only, and most servers should use the intermediate configuration instead.

* SSLv3 is enabled to support ~~WinXP SP2 clients~~ IE6 on IEWindows XP.* SHA1 certificates are authorized but only via certificate switching, meaning the server must implement custom logic to provide a SHA1 certs to old clients(such as Windows XP pre-SP3), and SHA256 certs to all others. More information in the "Certificates Switching" section later in this document.

* Most ciphers that are not clearly broken and dangerous to use are supported

* eNULL contains null-encryption ciphers (cleartext)

* EXPORT are legacy weak ciphers that were marked as exportable by US law

* RC4 contains ciphers that use the deprecated ~~ARCFOUR~~ RC4 algorithm

* DES contains ciphers that use the deprecated Data Encryption Standard

* SSLv2 contains all ciphers that were defined in the old version of the SSL standard, now deprecated

* MD5 contains all the ciphers that use the deprecated ~~message digest~~ Message Digest 5 as the hashing algorithm* kDH and kECDH contain static DH/ECDH for key exchange which is rarely used

= Forward Secrecy =

Unfortunately, some widely used clients lack support for ECDHE and must then rely on DHE to provide perfect forward secrecy:

* Android < 3.0.0

* Java < 7

* OpenSSL < 1.0.0

Zzq1015

3

edits

Changes

Security/Server Side TLS

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

How to Contribute

MozillaWiki

Around Mozilla

Tools