Changes

Security/Server Side TLS

442 bytes removed, 22:05, 23 December 2016

m

Reverted edits by Zzq1015 (talk) to last revision by Ulfr

For services that don't need backward compatibility, the parameters below provide a higher level of security. This configuration is compatible with Firefox 27, Chrome 30, IE 11 on Windows 7, Edge, Opera 17, Safari 9, Android 5.0, and Java 8.

* Ciphersuites: '''ECDHE-ECDSA-~~CHACHA20~~AES256-GCM-~~POLY1305~~SHA384:ECDHE-RSA-~~CHACHA20~~AES256-GCM-~~POLY1305~~SHA384:ECDHE-ECDSA-~~AES256~~CHACHA20-~~GCM-SHA384~~POLY1305:ECDHE-RSA-~~AES256~~CHACHA20-~~GCM-SHA384~~POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'''* Versions: '''~~TLSv1.3 (working in progress),~~ TLSv1.2'''* ~~ECDH~~ TLS curves: '''~~X25519 (with OpenSSL 1.1.0+)~~prime256v1, ~~prime256v1~~secp384r1, secp521r1~~, secp384r1~~'''* Certificate type: '''ECDSA ~~(recommended) or RSA~~'''* Certificate ~~(ECDSA)~~ curve: '''prime256v1, secp384r1, secp521r1'''

* Certificate signature: '''sha256WithRSAEncryption, ecdsa-with-SHA256, ecdsa-with-SHA384, ecdsa-with-SHA512'''

* RSA key size: '''2048''' (if not ~~ECDSA~~ecdsa)* DH Parameter size: '''~~N/A~~None''' (disabled entirely)* ECDH Parameter size: '''256'''

* HSTS: '''max-age=15768000'''

* Certificate switching: '''None'''

~~0xCC~~0xC0,~~0xA9~~ 0x2C - ECDHE-ECDSA-~~CHACHA20~~AES256-GCM-~~POLY1305~~ SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=~~CHACHA20/POLY1305~~AESGCM(256) Mac=AEAD ~~0xCC~~0xC0,~~0xA8~~ 0x30 - ECDHE-RSA-~~CHACHA20~~AES256-GCM-~~POLY1305~~ SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=~~CHACHA20/POLY1305~~AESGCM(256) Mac=AEAD ~~0xC0~~0xCC,~~0x2C~~ 0x14 - ECDHE-ECDSA-~~AES256~~CHACHA20-~~GCM-SHA384~~ POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=~~AESGCM~~ChaCha20(256) Mac=AEAD ~~0xC0~~0xCC,~~0x30~~ 0x13 - ECDHE-RSA-~~AES256~~CHACHA20-~~GCM-SHA384~~ POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=~~AESGCM~~ChaCha20(256) Mac=AEAD 0xC0,0x2B - ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD 0xC0,0x2F - ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD 0xC0,0x24 - ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384 0xC0,0x28 - ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384 0xC0,0x23 - ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256 0xC0,0x27 - ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256

</source>

Rationale:

* AES256-GCM is prioritized above its 128 bits variant, and ChaCha20 ~~> AES_256_GCM > AES_128_GCM > AES_256_CBC > AES_128_CBC~~ because ~~AES_GCM is fragile ([https://eprint.iacr.org/2013/157.pdf 1])~~ we assume that most modern devices support AESNI instructions and thus benefit from fast and ~~hard to implement safely. Also, ChaCha20 is not necessarily slower than AES_256_GCM while providing 256 bits of security~~constant time AES.* We recommend ECDSA certificates with ~~NIST-~~P256 as other curves may not be supported everywhere. RSA signatures on ECDSA certificates are permitted because very few CAs sign with ECDSA at the moment.

* DHE is removed entirely because it is slow in comparison with ECDHE, and all modern clients support elliptic curve key exchanges.

* ~~HMAC-~~SHA1 signature algorithm is removed in favor of ~~HMAC-~~SHA384 for AES256 and ~~HMAC-~~SHA256 for AES128.

== <span style="color:orange;">'''Intermediate'''</span> compatibility (default) ==

For services that don't need compatibility with legacy clients (mostly WinXP), but still need to support a wide range of clients, this configuration is recommended. It is is compatible with Firefox 1, Chrome 1, IE 7, Opera 5 and Safari 1.

* Ciphersuites: '''ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-~~SHA~~SHA256:ECDHE-RSA-AES128-~~SHA~~SHA256:ECDHE-ECDSA-~~AES256~~AES128-SHA:ECDHE-RSA-AES256-~~SHA~~SHA384:ECDHE-~~ECDSA~~RSA-AES128-~~SHA256~~SHA:ECDHE-~~RSA~~ECDSA-~~AES128~~AES256-~~SHA256~~SHA384:ECDHE-ECDSA-AES256-~~SHA384~~SHA:ECDHE-RSA-AES256-~~SHA384~~SHA:DHE-RSA-AES128-~~SHA~~SHA256:DHE-RSA-~~AES256~~AES128-SHA:DHE-RSA-~~AES128~~AES256-SHA256:DHE-RSA-~~AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:~~AES256-SHA~~:AES128-SHA256:AES256-SHA256~~:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'''* Versions: '''~~TLSv1.3 (working in progress),~~ TLSv1.2, TLSv1.1, TLSv1'''* ~~ECDH~~ TLS curves: '''~~X25519 (with OpenSSL 1.1.0+)~~prime256v1, ~~prime256v1~~secp384r1, secp521r1~~, secp384r1~~'''* Certificate type: '''~~RSA and ECDSA in parallel if available, otherwise just~~ RSA'''* Certificate ~~(ECDSA)~~ curve: '''~~prime256v1, secp384r1, secp521r1~~'None'''* Certificate signature: '''sha256WithRSAEncryption ~~for RSA, and ecdsa-with-SHA256, ecdsa-with-SHA384, ecdsa-with-SHA512 for ECDSA~~'''

* RSA key size: '''2048'''

* DH Parameter size: '''2048'''

* ECDH Parameter size: '''256'''

* HSTS: '''max-age=15768000'''

* Certificate switching: '''None'''

0xCC,~~0xA9~~ 0x14 - ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=~~CHACHA20/POLY1305~~ChaCha20(256) Mac=AEAD 0xCC,~~0xA8~~ 0x13 - ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=~~CHACHA20/POLY1305~~ChaCha20(256) Mac=AEAD 0xC0,0x2B - ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD 0xC0,0x2F - ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD 0xC0,0x2C - ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD 0xC0,0x30 - ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD 0x00,0x9E - DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD 0x00,0x9F - DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD 0xC0,~~0x09~~ 0x23 - ECDHE-ECDSA-AES128-~~SHA~~ SHA256 TLSv1.2 ~~SSLv3~~ Kx=ECDH Au=ECDSA Enc=AES(128) Mac=~~SHA1~~SHA256 0xC0,~~0x13~~ 0x27 - ECDHE-RSA-AES128-~~SHA SSLv3~~ SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=~~SHA1~~SHA256 0xC0,~~0x0A~~ 0x09 - ECDHE-ECDSA-~~AES256~~AES128-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(~~256~~128) Mac=SHA1 0xC0,~~0x14~~ 0x28 - ECDHE-RSA-AES256-~~SHA SSLv3~~ SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=~~SHA1~~SHA384 0xC0,~~0x23~~ 0x13 - ECDHE-~~ECDSA~~RSA-AES128-~~SHA256 TLSv1.2~~ SHA SSLv3 Kx=ECDH Au=~~ECDSA~~ RSA Enc=AES(128) Mac=~~SHA256~~SHA1 0xC0,~~0x27~~ 0x24 - ECDHE-~~RSA~~ECDSA-~~AES128~~AES256-~~SHA256~~ SHA384 TLSv1.2 Kx=ECDH Au=~~RSA~~ ECDSA Enc=AES(~~128~~256) Mac=~~SHA256~~SHA384 0xC0,~~0x24~~ 0x0A - ECDHE-ECDSA-AES256-~~SHA384 TLSv1.2~~ SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=~~SHA384~~SHA1 0xC0,~~0x28~~ 0x14 - ECDHE-RSA-AES256-~~SHA384 TLSv1.2~~ SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(256) Mac=~~SHA384~~SHA1 0x00,~~0x33~~ 0x67 - DHE-RSA-AES128-~~SHA SSLv3~~ SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=~~SHA1~~SHA256 0x00,~~0x39~~ 0x33 - DHE-RSA-~~AES256~~AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(~~256~~128) Mac=SHA1 0x00,~~0x67~~ 0x6B - DHE-RSA-~~AES128~~AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(~~128~~256) Mac=SHA256 0x00,~~0x6B~~ 0x39 - DHE-RSA-AES256-~~SHA256 TLSv1.2~~ SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=~~SHA256~~SHA1 ~~0x00~~0xC0,~~0x9C~~ 0x08 - ECDHE-ECDSA- ~~AES128~~DES-~~GCM~~CBC3-~~SHA256~~ SHA ~~TLSv1.2~~ SSLv3 Kx=ECDH Au=ECDSA Enc=3DES(168) Mac=SHA10xC0,0x12 - ECDHE-RSA -DES-CBC3-SHA SSLv3 Kx=ECDH Au=RSA Enc=~~AESGCM~~3DES(~~128~~168) Mac=~~AEAD~~SHA1 0x00,~~0x9D~~ 0x16 - EDH-RSA- ~~AES256~~DES-~~GCM~~CBC3-~~SHA384 TLSv1.2~~ SHA SSLv3 Kx=~~RSA~~ DH Au=RSA Enc=~~AESGCM~~3DES(~~256~~168) Mac=~~AEAD~~SHA1 0x00,~~0x2F~~ 0x9C - AES128-~~SHA~~ GCM-SHA256 ~~SSLv3~~ TLSv1.2 Kx=RSA Au=RSA Enc=~~AES~~AESGCM(128) Mac=~~SHA1~~AEAD 0x00,~~0x35~~ 0x9D - AES256-~~SHA~~ GCM-SHA384 ~~SSLv3~~ TLSv1.2 Kx=RSA Au=RSA Enc=~~AES~~AESGCM(256) Mac=~~SHA1~~AEAD 0x00,0x3C - AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256 0x00,0x3D - AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA256 ~~0xC0~~0x00,~~0x08~~ 0x2F - ~~ECDHE-ECDSA-DES-CBC3~~ AES128-SHA SSLv3 Kx=~~ECDH Au=ECDSA Enc=3DES(168) Mac=SHA1~~ ~~0xC0,0x12 - ECDHE-~~RSA~~-DES-CBC3-SHA SSLv3 Kx=ECDH~~ Au=RSA Enc=~~3DES~~AES(~~168~~128) Mac=SHA1 0x00,~~0x16~~ 0x35 - ~~DHE-RSA-DES-CBC3~~ AES256-SHA SSLv3 ~~SSLv3~~ Kx=DH RSA Au=RSA Enc=~~3DES~~AES(~~168~~256) Mac=SHA1 0x00,0x0A - DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1

</source>

Rationale:

* ChaCha20 is ~~preferred~~ prefered as the fastest and safest in-software cipher, followed by AES128. Unlike the modern configuration, we do not assume clients support AESNI and thus do not prioritize AES256 above 128 and ChaCha20. There has been discussions ([http://www.mail-archive.com/dev-tech-crypto@lists.mozilla.org/msg11247.html 1], [http://www.mail-archive.com/dev-tech-crypto@lists.mozilla.org/msg12398.html 2]) on whether AES256 extra security was worth its computing cost in software (without AESNI), and the results are far from obvious. At the moment, AES128 is preferred, because it provides good security, is really fast, and seems to be more resistant to timing attacks.* ~~3DES ciphers are put at the very last due to the SWEET32 attack ([https://sweet32.info 1])~~* HMACDES-~~SHA1 is preferred over HMAC~~CBC3-~~SHA256/SHA384 because the latter does not really provide more security than the former ([https://crypto.stackexchange.com/questions/26510/why~~SHA and EDH-isRSA-~~hmac~~DES-~~sha1~~CBC3-~~still-considered-secure 1]), and HMAC-SHA1 is almost twice as fast than HMAC-SHA256/SHA384. Also, AES_CBC is flawed, modern~~ SHA are maintained for backward compatibility with clients ~~will use AES_GCM anyways~~that do not support AES.

* While the goal is to support a broad range of clients, we reasonably disable a number of ciphers that have little support (such as SEED, CAMELLIA, ...).

This is the old ciphersuite that works with all clients back to Windows XP/IE6. It should be used as a last resort only.

* Ciphersuites: '''ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-~~ECDSA~~RSA-AES128-GCM-SHA256:ECDHE-~~RSA~~ECDSA-AES128-GCM-SHA256:ECDHE-~~ECDSA~~RSA-AES256-GCM-SHA384:ECDHE-~~RSA~~ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-~~RSA~~DSS-~~AES256~~AES128-GCM-~~SHA384~~SHA256:~~ECDHE-ECDSA-AES128-SHA~~kEDH+AESGCM:ECDHE-RSA-AES128-~~SHA~~SHA256:ECDHE-ECDSA-~~AES256~~AES128-~~SHA~~SHA256:ECDHE-RSA-~~AES256~~AES128-SHA:ECDHE-ECDSA-AES128-~~SHA256~~SHA:ECDHE-RSA-~~AES128~~AES256-~~SHA256~~SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-~~SHA384~~SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-~~SHA~~SHA256:DHE-RSA-~~AES256~~AES128-SHA:DHE-~~RSA~~DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:~~AES128~~DHE-~~GCM~~DSS-~~SHA256:~~AES256~~-GCM-SHA384:AES128~~-SHA:~~AES256~~DHE-~~SHA:AES128~~RSA-~~SHA256:~~AES256-~~SHA256:AES+DSS:CAMELLIA:SEED~~SHA:ECDHE-~~ECDSA~~RSA-DES-CBC3-SHA:ECDHE-~~RSA~~ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:~~3DES~~HIGH:~~IDEA:+DSS~~SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!~~SRP~~aDH:!aECDH:!~~KRB5~~EDH-DSS-DES-CBC3-SHA:!~~kDH~~KRB5-DES-CBC3-SHA:!~~kECDH~~SRP'''* Versions: '''~~TLSv1.3 (working in progress),~~ TLSv1.2, TLSv1.1, TLSv1, SSLv3'''* TLS curves: '''~~X25519 (with OpenSSL 1.1.0+)~~prime256v1, ~~prime256v1~~secp384r1, secp521r1~~, secp384r1~~'''

* Certificate type: '''RSA'''

* Certificate curve: '''~~N/A~~'None'''

* Certificate signature: '''sha256WithRSAEncryption'''

* RSA key size: '''2048'''

* DH Parameter size: '''1024'''

* ECDH Parameter size: '''256'''

* HSTS: '''max-age=15768000'''

* Certificate switching: '''sha1WithRSAEncryption'''

0xCC,~~0xA9~~ 0x14 - ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=~~CHACHA20/POLY1305~~ChaCha20(256) Mac=AEAD 0xCC,~~0xA8~~ 0x13 - ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=~~CHACHA20/POLY1305~~ChaCha20(256) Mac=AEAD 0xC0,~~0x2B~~ 0x2F - ECDHE-~~ECDSA~~RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=~~ECDSA~~ RSA Enc=AESGCM(128) Mac=AEAD 0xC0,~~0x2F~~ 0x2B - ECDHE-~~RSA~~ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=~~RSA~~ ECDSA Enc=AESGCM(128) Mac=AEAD 0xC0,~~0x2C~~ 0x30 - ECDHE-~~ECDSA~~RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=~~ECDSA~~ RSA Enc=AESGCM(256) Mac=AEAD 0xC0,~~0x30~~ 0x2C - ECDHE-~~RSA~~ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=~~RSA~~ ECDSA Enc=AESGCM(256) Mac=AEAD 0x00,0x9E - DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD 0x00,~~0x9F~~ 0xA2 - DHE-~~RSA~~DSS-~~AES256~~AES128-GCM-~~SHA384~~ SHA256 TLSv1.2 Kx=DH Au=~~RSA~~ DSS Enc=AESGCM(~~256~~128) Mac=AEAD ~~0xC0~~0x00,~~0x09~~ 0xA3 - DHE- ~~ECDHE~~DSS-~~ECDSA~~AES256-~~AES128~~GCM-~~SHA~~ SHA384 TLSv1.2 ~~SSLv3~~ Kx=~~ECDH~~ DH Au=~~ECDSA~~ DSS Enc=~~AES~~AESGCM(~~128~~256) Mac=~~SHA1~~AEAD ~~0xC0~~0x00,~~0x13~~ 0x9F - ~~ECDHE~~ DHE-RSA-~~AES128~~AES256-GCM-~~SHA SSLv3~~ SHA384 TLSv1.2 Kx=~~ECDH~~ DH Au=RSA Enc=~~AES~~AESGCM(~~128~~256) Mac=~~SHA1~~AEAD 0xC0,~~0x0A~~ 0x27 - ECDHE-~~ECDSA~~RSA-~~AES256~~AES128-~~SHA~~ SHA256 TLSv1.2 ~~SSLv3~~ Kx=ECDH Au=~~ECDSA~~ RSA Enc=AES(~~256~~128) Mac=~~SHA1~~SHA256 0xC0,~~0x14~~ 0x23 - ECDHE-~~RSA~~ECDSA-~~AES256~~AES128-~~SHA SSLv3 Kx~~SHA256 TLSv1.2 Kx=ECDH Au=~~RSA~~ ECDSA Enc=AES(~~256~~128) Mac=~~SHA1~~SHA256 0xC0,~~0x23~~ 0x13 - ECDHE-~~ECDSA~~RSA-AES128-~~SHA256 TLSv1.2~~ SHA SSLv3 Kx=ECDH Au=~~ECDSA~~ RSA Enc=AES(128) Mac=~~SHA256~~SHA1 0xC0,~~0x27~~ 0x09 - ECDHE-~~RSA~~ECDSA-AES128-~~SHA256 TLSv1.2~~ SHA SSLv3 Kx=ECDH Au=~~RSA~~ ECDSA Enc=AES(128) Mac=~~SHA256~~SHA1 0xC0,~~0x24~~ 0x28 - ECDHE-~~ECDSA~~RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=~~ECDSA~~ RSA Enc=AES(256) Mac=SHA384 0xC0,~~0x28~~ 0x24 - ECDHE-~~RSA~~ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=~~RSA~~ ECDSA Enc=AES(256) Mac=SHA384 ~~0x00~~0xC0,~~0x33~~ 0x14 - ~~DHE~~ ECDHE-RSA-~~AES128~~AES256-SHA SSLv3 Kx=DH ECDH Au=RSA Enc=AES(~~128~~256) Mac=SHA1 ~~0x00~~0xC0,~~0x39~~ 0x0A - ~~DHE~~ ECDHE-~~RSA~~ECDSA-AES256-SHA SSLv3 Kx=DH ECDH Au=~~RSA~~ ECDSA Enc=AES(256) Mac=SHA1 0x00,0x67 - DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256 0x00,~~0x6B~~ 0x33 - DHE-RSA-~~AES256~~AES128-~~SHA256 TLSv1.2~~ SHA SSLv3 Kx=DH Au=RSA Enc=AES(~~256~~128) Mac=~~SHA256~~SHA1 0x00,~~0x9C~~ 0x40 - DHE-DSS- AES128~~-GCM~~-SHA256 TLSv1.2 Kx=~~RSA~~ DH Au=~~RSA~~ DSS Enc=~~AESGCM~~AES(128) Mac=~~AEAD~~SHA256 0x00,~~0x9D~~ 0x6B - DHE-RSA- AES256-~~GCM-SHA384~~ SHA256 TLSv1.2 Kx=~~RSA~~ DH Au=RSA Enc=~~AESGCM~~AES(256) Mac=~~AEAD~~SHA256 0x00,~~0x2F~~ 0x38 - ~~AES128~~ DHE-DSS-AES256-SHA SSLv3 Kx=~~RSA~~ DH Au=~~RSA~~ DSS Enc=AES(~~128~~256) Mac=SHA1 0x00,~~0x35~~ 0x39 - DHE-RSA- AES256-SHA SSLv3 Kx=~~RSA~~ DH Au=RSA Enc=AES(256) Mac=SHA1 ~~0x00~~0xC0,~~0x3C~~ 0x12 - ~~AES128~~ ECDHE-~~SHA256 TLSv1.2 Kx=~~RSA Au-DES-CBC3-SHA SSLv3 Kx=ECDH Au=RSA Enc=~~AES~~3DES(~~128~~168) Mac=~~SHA256~~SHA1 ~~0x00~~0xC0,~~0x3D~~ 0x08 - ~~AES256~~ ECDHE-~~SHA256 TLSv1.2~~ ECDSA-DES-CBC3-SHA SSLv3 Kx=~~RSA~~ ECDH Au=~~RSA~~ ECDSA Enc=~~AES~~3DES(~~256~~168) Mac=~~SHA256~~SHA1 ~~0xC0~~0x00,~~0x73~~ 0x16 - EDH- ~~ECDHE~~RSA-~~ECDSA~~DES-~~CAMELLIA256~~CBC3-~~SHA384 TLSv1.2~~ SHA SSLv3 Kx=~~ECDH~~ DH Au=~~ECDSA~~ RSA Enc=~~Camellia~~3DES(~~256~~168) Mac=~~SHA384~~SHA1 ~~0xC0~~0x00,~~0x77~~ 0x9C - ~~ECDHE~~ AES128-~~RSA~~GCM-~~CAMELLIA256-SHA384~~ SHA256 TLSv1.2 Kx=~~ECDH~~ RSA Au=RSA Enc=~~Camellia~~AESGCM(~~256~~128) Mac=~~SHA384~~AEAD 0x00,~~0xC4~~ 0x9D - ~~DHE~~ AES256-~~RSA~~GCM-~~CAMELLIA256-SHA256~~ SHA384 TLSv1.2 Kx=DH RSA Au=RSA Enc=~~Camellia~~AESGCM(256) Mac=~~SHA256~~AEAD ~~0xC0~~0x00,~~0x72~~ 0x3C - ~~ECDHE-ECDSA-CAMELLIA128~~ AES128-SHA256 TLSv1.2 Kx=~~ECDH~~ RSA Au=~~ECDSA~~ RSA Enc=~~Camellia~~AES(128) Mac=SHA256 ~~0xC0~~0x00,~~0x76~~ 0x3D - ~~ECDHE-RSA-CAMELLIA128~~ AES256-SHA256 TLSv1.2 Kx=~~ECDH~~ RSA Au=RSA Enc=~~Camellia~~AES(~~128~~256) Mac=SHA256 0x00,~~0xBE~~ 0x2F - ~~DHE~~ AES128-~~RSA-CAMELLIA128-SHA256 TLSv1.2~~ SHA SSLv3 Kx=DH RSA Au=RSA Enc=~~Camellia~~AES(128) Mac=~~SHA256~~SHA1 0x00,~~0x88~~ 0x35 - ~~DHE-RSA-CAMELLIA256~~ AES256-SHA SSLv3 Kx=DH RSA Au=RSA Enc=~~Camellia~~AES(256) Mac=SHA1 0x00,~~0x45~~ 0x6A - DHE-~~RSA~~DSS-~~CAMELLIA128~~AES256-~~SHA SSLv3~~ SHA256 TLSv1.2 Kx=DH Au=~~RSA~~ DSS Enc=~~Camellia~~AES(~~128~~256) Mac=~~SHA1~~SHA256 0x00,~~0xC0~~ 0x32 - DHE- ~~CAMELLIA256~~DSS-~~SHA256 TLSv1.2~~ AES128-SHA SSLv3 Kx=~~RSA~~ DH Au=~~RSA~~ DSS Enc=~~Camellia~~AES(~~256~~128) Mac=~~SHA256~~SHA1 0x00,~~0xBA~~ 0x0A - ~~CAMELLIA128~~ DES-~~SHA256 TLSv1.2~~ CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=~~Camellia~~3DES(~~128~~168) Mac=~~SHA256~~SHA1 0x00,~~0x84~~ 0x9A - ~~CAMELLIA256~~ DHE-RSA-SEED-SHA SSLv3 Kx=~~RSA~~ DH Au=RSA Enc=~~Camellia~~SEED(~~256~~128) Mac=SHA1 0x00,~~0x41~~ 0x99 - DHE-DSS- ~~CAMELLIA128~~SEED-SHA SSLv3 Kx=~~RSA~~ DH Au=~~RSA~~ DSS Enc=~~Camellia~~SEED(128) Mac=SHA1 ~~0x00~~0xCC,~~0x9A~~ 0x15 - DHE-RSA-~~SEED~~CHACHA20-~~SHA SSLv3 Kx=DH~~ POLY1305 TLSv1.2 Kx=DH Au=RSA Enc=~~SEED~~ChaCha20(~~128~~256) Mac=~~SHA1~~AEAD ~~0x00~~0xC0,~~0x96~~ 0x77 - ~~SEED~~ ECDHE-~~SHA SSLv3 Kx=~~RSA -CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=~~SEED~~Camellia(~~128~~256) Mac=~~SHA1~~SHA384 0xC0,~~0x08~~ 0x73 - ECDHE-ECDSA-~~DES~~CAMELLIA256-~~CBC3-SHA SSLv3~~ SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=~~3DES~~Camellia(~~168~~256) Mac=~~SHA1~~SHA384 ~~0xC0~~0x00,~~0x12~~ 0xC4 - ~~ECDHE~~ DHE-RSA-~~DES~~CAMELLIA256-~~CBC3-SHA~~ SHA256 TLSv1.2 ~~SSLv3~~ Kx=~~ECDH~~ DH Au=RSA Enc=~~3DES~~Camellia(~~168~~256) Mac=~~SHA1~~SHA256 0x00,~~0x16~~ 0xC3 - DHE-~~RSA~~DSS-~~DES~~CAMELLIA256-~~CBC3-SHA SSLv3~~ SHA256 TLSv1.2 Kx=DH Au=~~RSA~~ DSS Enc=~~3DES~~Camellia(~~168~~256) Mac=~~SHA1~~SHA256 0x00,~~0x0A~~ 0x88 - DHE- ~~DES~~RSA-~~CBC3~~CAMELLIA256-SHA SSLv3 Kx=~~RSA~~ DH Au=RSA Enc=~~3DES~~Camellia(~~168~~256) Mac=SHA1 0x00,~~0x07~~ 0x87 - ~~IDEA~~ DHE-DSS-~~CBC~~CAMELLIA256-SHA SSLv3 Kx=~~RSA~~ DH Au=~~RSA~~ DSS Enc=~~IDEA~~Camellia(~~128~~256) Mac=SHA1 0x00,~~0xA3~~ 0xC0 - ~~DHE~~ CAMELLIA256-~~DSS-AES256-GCM-SHA384~~ SHA256 TLSv1.2 Kx=DH RSA Au=~~DSS~~ RSA Enc=~~AESGCM~~Camellia(256) Mac=~~AEAD~~SHA256 0x00,~~0xA2~~ 0x84 - ~~DHE~~ CAMELLIA256-~~DSS-AES128-GCM-SHA256 TLSv1.2~~ SHA SSLv3 Kx=DH RSA Au=~~DSS~~ RSA Enc=~~AESGCM~~Camellia(~~128~~256) Mac=~~AEAD~~SHA1 ~~0x00~~0xC0,~~0x6A~~ 0x76 - ~~DHE~~ ECDHE-~~DSS~~RSA-~~AES256~~CAMELLIA128-SHA256 TLSv1.2 Kx=DH ECDH Au=~~DSS~~ RSA Enc=~~AES~~Camellia(~~256~~128) Mac=SHA256 ~~0x00~~0xC0,~~0x40~~ 0x72 - ~~DHE~~ ECDHE-~~DSS~~ECDSA-~~AES128~~CAMELLIA128-SHA256 TLSv1.2 Kx=DH ECDH Au=~~DSS~~ ECDSA Enc=~~AES~~Camellia(128) Mac=SHA256 0x00,~~0x38~~ 0xBE - DHE-~~DSS~~RSA-~~AES256~~CAMELLIA128-~~SHA~~ SHA256 ~~SSLv3~~ TLSv1.2 Kx=DH Au=~~DSS~~ RSA Enc=~~AES~~Camellia(~~256~~128) Mac=~~SHA1~~SHA256 0x00,~~0x32~~ 0xBD - DHE-DSS-~~AES128~~CAMELLIA128-~~SHA~~ SHA256 ~~SSLv3~~ TLSv1.2 Kx=DH Au=DSS Enc=~~AES~~Camellia(128) Mac=~~SHA1~~SHA256 0x00,~~0xC3~~ 0x45 - DHE-~~DSS~~RSA-~~CAMELLIA256~~CAMELLIA128-~~SHA256 TLSv1.2~~ SHA SSLv3 Kx=DH Au=~~DSS~~ RSA Enc=Camellia(~~256~~128) Mac=~~SHA256~~SHA1 0x00,~~0xBD~~ 0x44 - DHE-DSS-CAMELLIA128-~~SHA256 TLSv1.2~~ SHA SSLv3 Kx=DH Au=DSS Enc=Camellia(128) Mac=~~SHA256~~SHA1 0x00,~~0x87~~ 0xBA - ~~DHE~~ CAMELLIA128-~~DSS-CAMELLIA256-SHA SSLv3~~ SHA256 TLSv1.2 Kx=DH RSA Au=~~DSS~~ RSA Enc=Camellia(~~256~~128) Mac=~~SHA1~~SHA256 0x00,~~0x44 - DHE-DSS~~0x41 - CAMELLIA128-SHA SSLv3 Kx=DH RSA Au=~~DSS~~ RSA Enc=Camellia(128) Mac=SHA1 0x00,~~0x99 - DHE-DSS~~0x96 - SEED-SHA SSLv3 Kx=DH RSA Au=~~DSS~~ RSA Enc=SEED(128) ~~Mac=SHA1~~ ~~0x00,0x13 - DHE-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168)~~ Mac=SHA1

</source>

Rationale:

* You should take a hard look at your infrastructure needs before using this configuration; it is intended for special use cases only, and most servers should use the intermediate configuration instead.

* SSLv3 is enabled to support ~~IE6~~ WinXP SP2 clients on ~~Windows XP~~IE.* SHA1 certificates are authorized but only via certificate switching, meaning the server must implement custom logic to provide a SHA1 certs to old clients ~~(such as Windows XP pre-SP3)~~, and SHA256 certs to all others. More information in the "Certificates Switching" section later in this document.

* Most ciphers that are not clearly broken and dangerous to use are supported

* eNULL contains null-encryption ciphers (cleartext)

* EXPORT are legacy weak ciphers that were marked as exportable by US law

* RC4 contains ciphers that use the deprecated ~~RC4~~ ARCFOUR algorithm

* DES contains ciphers that use the deprecated Data Encryption Standard

* SSLv2 contains all ciphers that were defined in the old version of the SSL standard, now deprecated

* MD5 contains all the ciphers that use the deprecated ~~Message Digest~~ message digest 5 as the hashing algorithm* kDH and kECDH contain static DH/ECDH for key exchange which is rarely used

= Forward Secrecy =

Unfortunately, some widely used clients lack support for ECDHE and must then rely on DHE to provide perfect forward secrecy:

* Android < 3.0.0

* Java < 7

* OpenSSL < 1.0.0

Apking

Antispam, confirm

99

edits

Changes

Security/Server Side TLS

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

How to Contribute

MozillaWiki

Around Mozilla

Tools