Changes

Jump to: navigation, search

Security/Server Side TLS

442 bytes removed, 22:05, 23 December 2016
m
Reverted edits by Zzq1015 (talk) to last revision by Ulfr
For services that don't need backward compatibility, the parameters below provide a higher level of security. This configuration is compatible with Firefox 27, Chrome 30, IE 11 on Windows 7, Edge, Opera 17, Safari 9, Android 5.0, and Java 8.
* Ciphersuites: '''ECDHE-ECDSA-CHACHA20AES256-GCM-POLY1305SHA384:ECDHE-RSA-CHACHA20AES256-GCM-POLY1305SHA384:ECDHE-ECDSA-AES256CHACHA20-GCM-SHA384POLY1305:ECDHE-RSA-AES256CHACHA20-GCM-SHA384POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'''* Versions: '''TLSv1.3 (working in progress), TLSv1.2'''* ECDH TLS curves: '''X25519 (with OpenSSL 1.1.0+)prime256v1, prime256v1secp384r1, secp521r1, secp384r1'''* Certificate type: '''ECDSA (recommended) or RSA'''* Certificate (ECDSA) curve: '''prime256v1, secp384r1, secp521r1'''
* Certificate signature: '''sha256WithRSAEncryption, ecdsa-with-SHA256, ecdsa-with-SHA384, ecdsa-with-SHA512'''
* RSA key size: '''2048''' (if not ECDSAecdsa)* DH Parameter size: '''N/ANone''' (disabled entirely)* ECDH Parameter size: '''256'''
* HSTS: '''max-age=15768000'''
* Certificate switching: '''None'''
<source>
0xCC0xC0,0xA9 0x2C - ECDHE-ECDSA-CHACHA20AES256-GCM-POLY1305 SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305AESGCM(256) Mac=AEAD 0xCC0xC0,0xA8 0x30 - ECDHE-RSA-CHACHA20AES256-GCM-POLY1305 SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305AESGCM(256) Mac=AEAD 0xC00xCC,0x2C 0x14 - ECDHE-ECDSA-AES256CHACHA20-GCM-SHA384 POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCMChaCha20(256) Mac=AEAD 0xC00xCC,0x30 0x13 - ECDHE-RSA-AES256CHACHA20-GCM-SHA384 POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCMChaCha20(256) Mac=AEAD 0xC0,0x2B - ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD 0xC0,0x2F - ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD 0xC0,0x24 - ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384 0xC0,0x28 - ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384 0xC0,0x23 - ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256 0xC0,0x27 - ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256
</source>
Rationale:
* AES256-GCM is prioritized above its 128 bits variant, and ChaCha20 > AES_256_GCM > AES_128_GCM > AES_256_CBC > AES_128_CBC because AES_GCM is fragile ([https://eprint.iacr.org/2013/157.pdf 1]) we assume that most modern devices support AESNI instructions and thus benefit from fast and hard to implement safely. Also, ChaCha20 is not necessarily slower than AES_256_GCM while providing 256 bits of securityconstant time AES.* We recommend ECDSA certificates with NIST-P256 as other curves may not be supported everywhere. RSA signatures on ECDSA certificates are permitted because very few CAs sign with ECDSA at the moment.
* DHE is removed entirely because it is slow in comparison with ECDHE, and all modern clients support elliptic curve key exchanges.
* HMAC-SHA1 signature algorithm is removed in favor of HMAC-SHA384 for AES256 and HMAC-SHA256 for AES128.
== <span style="color:orange;">'''Intermediate'''</span> compatibility (default) ==
For services that don't need compatibility with legacy clients (mostly WinXP), but still need to support a wide range of clients, this configuration is recommended. It is is compatible with Firefox 1, Chrome 1, IE 7, Opera 5 and Safari 1.
* Ciphersuites: '''ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHASHA256:ECDHE-RSA-AES128-SHASHA256:ECDHE-ECDSA-AES256AES128-SHA:ECDHE-RSA-AES256-SHASHA384:ECDHE-ECDSARSA-AES128-SHA256SHA:ECDHE-RSAECDSA-AES128AES256-SHA256SHA384:ECDHE-ECDSA-AES256-SHA384SHA:ECDHE-RSA-AES256-SHA384SHA:DHE-RSA-AES128-SHASHA256:DHE-RSA-AES256AES128-SHA:DHE-RSA-AES128AES256-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES128-SHA256:AES256-SHA256:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'''* Versions: '''TLSv1.3 (working in progress), TLSv1.2, TLSv1.1, TLSv1'''* ECDH TLS curves: '''X25519 (with OpenSSL 1.1.0+)prime256v1, prime256v1secp384r1, secp521r1, secp384r1'''* Certificate type: '''RSA and ECDSA in parallel if available, otherwise just RSA'''* Certificate (ECDSA) curve: '''prime256v1, secp384r1, secp521r1'None'''* Certificate signature: '''sha256WithRSAEncryption for RSA, and ecdsa-with-SHA256, ecdsa-with-SHA384, ecdsa-with-SHA512 for ECDSA'''
* RSA key size: '''2048'''
* DH Parameter size: '''2048'''
* ECDH Parameter size: '''256'''
* HSTS: '''max-age=15768000'''
* Certificate switching: '''None'''
<source>
0xCC,0xA9 0x14 - ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305ChaCha20(256) Mac=AEAD 0xCC,0xA8 0x13 - ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305ChaCha20(256) Mac=AEAD 0xC0,0x2B - ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD 0xC0,0x2F - ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD 0xC0,0x2C - ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD 0xC0,0x30 - ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD 0x00,0x9E - DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD 0x00,0x9F - DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD 0xC0,0x09 0x23 - ECDHE-ECDSA-AES128-SHA SHA256 TLSv1.2 SSLv3 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA1SHA256 0xC0,0x13 0x27 - ECDHE-RSA-AES128-SHA SSLv3 SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1SHA256 0xC0,0x0A 0x09 - ECDHE-ECDSA-AES256AES128-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(256128) Mac=SHA1 0xC0,0x14 0x28 - ECDHE-RSA-AES256-SHA SSLv3 SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1SHA384 0xC0,0x23 0x13 - ECDHE-ECDSARSA-AES128-SHA256 TLSv1.2 SHA SSLv3 Kx=ECDH Au=ECDSA RSA Enc=AES(128) Mac=SHA256SHA1 0xC0,0x27 0x24 - ECDHE-RSAECDSA-AES128AES256-SHA256 SHA384 TLSv1.2 Kx=ECDH Au=RSA ECDSA Enc=AES(128256) Mac=SHA256SHA384 0xC0,0x24 0x0A - ECDHE-ECDSA-AES256-SHA384 TLSv1.2 SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384SHA1 0xC0,0x28 0x14 - ECDHE-RSA-AES256-SHA384 TLSv1.2 SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384SHA1 0x00,0x33 0x67 - DHE-RSA-AES128-SHA SSLv3 SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1SHA256 0x00,0x39 0x33 - DHE-RSA-AES256AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256128) Mac=SHA1 0x00,0x67 0x6B - DHE-RSA-AES128AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128256) Mac=SHA256 0x00,0x6B 0x39 - DHE-RSA-AES256-SHA256 TLSv1.2 SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256SHA1 0x000xC0,0x9C 0x08 - ECDHE-ECDSA- AES128DES-GCMCBC3-SHA256 SHA TLSv1.2 SSLv3 Kx=ECDH Au=ECDSA Enc=3DES(168) Mac=SHA10xC0,0x12 - ECDHE-RSA -DES-CBC3-SHA SSLv3 Kx=ECDH Au=RSA Enc=AESGCM3DES(128168) Mac=AEADSHA1 0x00,0x9D 0x16 - EDH-RSA- AES256DES-GCMCBC3-SHA384 TLSv1.2 SHA SSLv3 Kx=RSA DH Au=RSA Enc=AESGCM3DES(256168) Mac=AEADSHA1 0x00,0x2F 0x9C - AES128-SHA GCM-SHA256 SSLv3 TLSv1.2 Kx=RSA Au=RSA Enc=AESAESGCM(128) Mac=SHA1AEAD 0x00,0x35 0x9D - AES256-SHA GCM-SHA384 SSLv3 TLSv1.2 Kx=RSA Au=RSA Enc=AESAESGCM(256) Mac=SHA1AEAD 0x00,0x3C - AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256 0x00,0x3D - AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA256 0xC00x00,0x08 0x2F - ECDHE-ECDSA-DES-CBC3 AES128-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=3DES(168) Mac=SHA1 0xC0,0x12 - ECDHE-RSA-DES-CBC3-SHA SSLv3 Kx=ECDH Au=RSA Enc=3DESAES(168128) Mac=SHA1 0x00,0x16 0x35 - DHE-RSA-DES-CBC3 AES256-SHA SSLv3 SSLv3 Kx=DH RSA Au=RSA Enc=3DESAES(168256) Mac=SHA1 0x00,0x0A - DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
</source>
Rationale:
* ChaCha20 is preferred prefered as the fastest and safest in-software cipher, followed by AES128. Unlike the modern configuration, we do not assume clients support AESNI and thus do not prioritize AES256 above 128 and ChaCha20. There has been discussions ([http://www.mail-archive.com/dev-tech-crypto@lists.mozilla.org/msg11247.html 1], [http://www.mail-archive.com/dev-tech-crypto@lists.mozilla.org/msg12398.html 2]) on whether AES256 extra security was worth its computing cost in software (without AESNI), and the results are far from obvious. At the moment, AES128 is preferred, because it provides good security, is really fast, and seems to be more resistant to timing attacks.* 3DES ciphers are put at the very last due to the SWEET32 attack ([https://sweet32.info 1])* HMACDES-SHA1 is preferred over HMACCBC3-SHA256/SHA384 because the latter does not really provide more security than the former ([https://crypto.stackexchange.com/questions/26510/whySHA and EDH-isRSA-hmacDES-sha1CBC3-still-considered-secure 1]), and HMAC-SHA1 is almost twice as fast than HMAC-SHA256/SHA384. Also, AES_CBC is flawed, modern SHA are maintained for backward compatibility with clients will use AES_GCM anywaysthat do not support AES.
* While the goal is to support a broad range of clients, we reasonably disable a number of ciphers that have little support (such as SEED, CAMELLIA, ...).
This is the old ciphersuite that works with all clients back to Windows XP/IE6. It should be used as a last resort only.
* Ciphersuites: '''ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSARSA-AES128-GCM-SHA256:ECDHE-RSAECDSA-AES128-GCM-SHA256:ECDHE-ECDSARSA-AES256-GCM-SHA384:ECDHE-RSAECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSADSS-AES256AES128-GCM-SHA384SHA256:ECDHE-ECDSA-AES128-SHAkEDH+AESGCM:ECDHE-RSA-AES128-SHASHA256:ECDHE-ECDSA-AES256AES128-SHASHA256:ECDHE-RSA-AES256AES128-SHA:ECDHE-ECDSA-AES128-SHA256SHA:ECDHE-RSA-AES128AES256-SHA256SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHASHA256:DHE-RSA-AES256AES128-SHA:DHE-RSADSS-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128DHE-GCMDSS-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256DHE-SHA:AES128RSA-SHA256:AES256-SHA256:AES+DSS:CAMELLIA:SEEDSHA:ECDHE-ECDSARSA-DES-CBC3-SHA:ECDHE-RSAECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:3DESHIGH:IDEA:+DSSSEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!SRPaDH:!aECDH:!KRB5EDH-DSS-DES-CBC3-SHA:!kDHKRB5-DES-CBC3-SHA:!kECDHSRP'''* Versions: '''TLSv1.3 (working in progress), TLSv1.2, TLSv1.1, TLSv1, SSLv3'''* TLS curves: '''X25519 (with OpenSSL 1.1.0+)prime256v1, prime256v1secp384r1, secp521r1, secp384r1'''
* Certificate type: '''RSA'''
* Certificate curve: '''N/A'None'''
* Certificate signature: '''sha256WithRSAEncryption'''
* RSA key size: '''2048'''
* DH Parameter size: '''1024'''
* ECDH Parameter size: '''256'''
* HSTS: '''max-age=15768000'''
* Certificate switching: '''sha1WithRSAEncryption'''
<source>
0xCC,0xA9 0x14 - ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305ChaCha20(256) Mac=AEAD 0xCC,0xA8 0x13 - ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305ChaCha20(256) Mac=AEAD 0xC0,0x2B 0x2F - ECDHE-ECDSARSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA RSA Enc=AESGCM(128) Mac=AEAD 0xC0,0x2F 0x2B - ECDHE-RSAECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA ECDSA Enc=AESGCM(128) Mac=AEAD 0xC0,0x2C 0x30 - ECDHE-ECDSARSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA RSA Enc=AESGCM(256) Mac=AEAD 0xC0,0x30 0x2C - ECDHE-RSAECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA ECDSA Enc=AESGCM(256) Mac=AEAD 0x00,0x9E - DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD 0x00,0x9F 0xA2 - DHE-RSADSS-AES256AES128-GCM-SHA384 SHA256 TLSv1.2 Kx=DH Au=RSA DSS Enc=AESGCM(256128) Mac=AEAD 0xC00x00,0x09 0xA3 - DHE- ECDHEDSS-ECDSAAES256-AES128GCM-SHA SHA384 TLSv1.2 SSLv3 Kx=ECDH DH Au=ECDSA DSS Enc=AESAESGCM(128256) Mac=SHA1AEAD 0xC00x00,0x13 0x9F - ECDHE DHE-RSA-AES128AES256-GCM-SHA SSLv3 SHA384 TLSv1.2 Kx=ECDH DH Au=RSA Enc=AESAESGCM(128256) Mac=SHA1AEAD 0xC0,0x0A 0x27 - ECDHE-ECDSARSA-AES256AES128-SHA SHA256 TLSv1.2 SSLv3 Kx=ECDH Au=ECDSA RSA Enc=AES(256128) Mac=SHA1SHA256 0xC0,0x14 0x23 - ECDHE-RSAECDSA-AES256AES128-SHA SSLv3 KxSHA256 TLSv1.2 Kx=ECDH Au=RSA ECDSA Enc=AES(256128) Mac=SHA1SHA256 0xC0,0x23 0x13 - ECDHE-ECDSARSA-AES128-SHA256 TLSv1.2 SHA SSLv3 Kx=ECDH Au=ECDSA RSA Enc=AES(128) Mac=SHA256SHA1 0xC0,0x27 0x09 - ECDHE-RSAECDSA-AES128-SHA256 TLSv1.2 SHA SSLv3 Kx=ECDH Au=RSA ECDSA Enc=AES(128) Mac=SHA256SHA1 0xC0,0x24 0x28 - ECDHE-ECDSARSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA RSA Enc=AES(256) Mac=SHA384 0xC0,0x28 0x24 - ECDHE-RSAECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA ECDSA Enc=AES(256) Mac=SHA384 0x000xC0,0x33 0x14 - DHE ECDHE-RSA-AES128AES256-SHA SSLv3 Kx=DH ECDH Au=RSA Enc=AES(128256) Mac=SHA1 0x000xC0,0x39 0x0A - DHE ECDHE-RSAECDSA-AES256-SHA SSLv3 Kx=DH ECDH Au=RSA ECDSA Enc=AES(256) Mac=SHA1 0x00,0x67 - DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256 0x00,0x6B 0x33 - DHE-RSA-AES256AES128-SHA256 TLSv1.2 SHA SSLv3 Kx=DH Au=RSA Enc=AES(256128) Mac=SHA256SHA1 0x00,0x9C 0x40 - DHE-DSS- AES128-GCM-SHA256 TLSv1.2 Kx=RSA DH Au=RSA DSS Enc=AESGCMAES(128) Mac=AEADSHA256 0x00,0x9D 0x6B - DHE-RSA- AES256-GCM-SHA384 SHA256 TLSv1.2 Kx=RSA DH Au=RSA Enc=AESGCMAES(256) Mac=AEADSHA256 0x00,0x2F 0x38 - AES128 DHE-DSS-AES256-SHA SSLv3 Kx=RSA DH Au=RSA DSS Enc=AES(128256) Mac=SHA1 0x00,0x35 0x39 - DHE-RSA- AES256-SHA SSLv3 Kx=RSA DH Au=RSA Enc=AES(256) Mac=SHA1 0x000xC0,0x3C 0x12 - AES128 ECDHE-SHA256 TLSv1.2 Kx=RSA Au-DES-CBC3-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES3DES(128168) Mac=SHA256SHA1 0x000xC0,0x3D 0x08 - AES256 ECDHE-SHA256 TLSv1.2 ECDSA-DES-CBC3-SHA SSLv3 Kx=RSA ECDH Au=RSA ECDSA Enc=AES3DES(256168) Mac=SHA256SHA1 0xC00x00,0x73 0x16 - EDH- ECDHERSA-ECDSADES-CAMELLIA256CBC3-SHA384 TLSv1.2 SHA SSLv3 Kx=ECDH DH Au=ECDSA RSA Enc=Camellia3DES(256168) Mac=SHA384SHA1 0xC00x00,0x77 0x9C - ECDHE AES128-RSAGCM-CAMELLIA256-SHA384 SHA256 TLSv1.2 Kx=ECDH RSA Au=RSA Enc=CamelliaAESGCM(256128) Mac=SHA384AEAD 0x00,0xC4 0x9D - DHE AES256-RSAGCM-CAMELLIA256-SHA256 SHA384 TLSv1.2 Kx=DH RSA Au=RSA Enc=CamelliaAESGCM(256) Mac=SHA256AEAD 0xC00x00,0x72 0x3C - ECDHE-ECDSA-CAMELLIA128 AES128-SHA256 TLSv1.2 Kx=ECDH RSA Au=ECDSA RSA Enc=CamelliaAES(128) Mac=SHA256 0xC00x00,0x76 0x3D - ECDHE-RSA-CAMELLIA128 AES256-SHA256 TLSv1.2 Kx=ECDH RSA Au=RSA Enc=CamelliaAES(128256) Mac=SHA256 0x00,0xBE 0x2F - DHE AES128-RSA-CAMELLIA128-SHA256 TLSv1.2 SHA SSLv3 Kx=DH RSA Au=RSA Enc=CamelliaAES(128) Mac=SHA256SHA1 0x00,0x88 0x35 - DHE-RSA-CAMELLIA256 AES256-SHA SSLv3 Kx=DH RSA Au=RSA Enc=CamelliaAES(256) Mac=SHA1 0x00,0x45 0x6A - DHE-RSADSS-CAMELLIA128AES256-SHA SSLv3 SHA256 TLSv1.2 Kx=DH Au=RSA DSS Enc=CamelliaAES(128256) Mac=SHA1SHA256 0x00,0xC0 0x32 - DHE- CAMELLIA256DSS-SHA256 TLSv1.2 AES128-SHA SSLv3 Kx=RSA DH Au=RSA DSS Enc=CamelliaAES(256128) Mac=SHA256SHA1 0x00,0xBA 0x0A - CAMELLIA128 DES-SHA256 TLSv1.2 CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia3DES(128168) Mac=SHA256SHA1 0x00,0x84 0x9A - CAMELLIA256 DHE-RSA-SEED-SHA SSLv3 Kx=RSA DH Au=RSA Enc=CamelliaSEED(256128) Mac=SHA1 0x00,0x41 0x99 - DHE-DSS- CAMELLIA128SEED-SHA SSLv3 Kx=RSA DH Au=RSA DSS Enc=CamelliaSEED(128) Mac=SHA1 0x000xCC,0x9A 0x15 - DHE-RSA-SEEDCHACHA20-SHA SSLv3 Kx=DH POLY1305 TLSv1.2 Kx=DH Au=RSA Enc=SEEDChaCha20(128256) Mac=SHA1AEAD 0x000xC0,0x96 0x77 - SEED ECDHE-SHA SSLv3 Kx=RSA -CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=SEEDCamellia(128256) Mac=SHA1SHA384 0xC0,0x08 0x73 - ECDHE-ECDSA-DESCAMELLIA256-CBC3-SHA SSLv3 SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=3DESCamellia(168256) Mac=SHA1SHA384 0xC00x00,0x12 0xC4 - ECDHE DHE-RSA-DESCAMELLIA256-CBC3-SHA SHA256 TLSv1.2 SSLv3 Kx=ECDH DH Au=RSA Enc=3DESCamellia(168256) Mac=SHA1SHA256 0x00,0x16 0xC3 - DHE-RSADSS-DESCAMELLIA256-CBC3-SHA SSLv3 SHA256 TLSv1.2 Kx=DH Au=RSA DSS Enc=3DESCamellia(168256) Mac=SHA1SHA256 0x00,0x0A 0x88 - DHE- DESRSA-CBC3CAMELLIA256-SHA SSLv3 Kx=RSA DH Au=RSA Enc=3DESCamellia(168256) Mac=SHA1 0x00,0x07 0x87 - IDEA DHE-DSS-CBCCAMELLIA256-SHA SSLv3 Kx=RSA DH Au=RSA DSS Enc=IDEACamellia(128256) Mac=SHA1 0x00,0xA3 0xC0 - DHE CAMELLIA256-DSS-AES256-GCM-SHA384 SHA256 TLSv1.2 Kx=DH RSA Au=DSS RSA Enc=AESGCMCamellia(256) Mac=AEADSHA256 0x00,0xA2 0x84 - DHE CAMELLIA256-DSS-AES128-GCM-SHA256 TLSv1.2 SHA SSLv3 Kx=DH RSA Au=DSS RSA Enc=AESGCMCamellia(128256) Mac=AEADSHA1 0x000xC0,0x6A 0x76 - DHE ECDHE-DSSRSA-AES256CAMELLIA128-SHA256 TLSv1.2 Kx=DH ECDH Au=DSS RSA Enc=AESCamellia(256128) Mac=SHA256 0x000xC0,0x40 0x72 - DHE ECDHE-DSSECDSA-AES128CAMELLIA128-SHA256 TLSv1.2 Kx=DH ECDH Au=DSS ECDSA Enc=AESCamellia(128) Mac=SHA256 0x00,0x38 0xBE - DHE-DSSRSA-AES256CAMELLIA128-SHA SHA256 SSLv3 TLSv1.2 Kx=DH Au=DSS RSA Enc=AESCamellia(256128) Mac=SHA1SHA256 0x00,0x32 0xBD - DHE-DSS-AES128CAMELLIA128-SHA SHA256 SSLv3 TLSv1.2 Kx=DH Au=DSS Enc=AESCamellia(128) Mac=SHA1SHA256 0x00,0xC3 0x45 - DHE-DSSRSA-CAMELLIA256CAMELLIA128-SHA256 TLSv1.2 SHA SSLv3 Kx=DH Au=DSS RSA Enc=Camellia(256128) Mac=SHA256SHA1 0x00,0xBD 0x44 - DHE-DSS-CAMELLIA128-SHA256 TLSv1.2 SHA SSLv3 Kx=DH Au=DSS Enc=Camellia(128) Mac=SHA256SHA1 0x00,0x87 0xBA - DHE CAMELLIA128-DSS-CAMELLIA256-SHA SSLv3 SHA256 TLSv1.2 Kx=DH RSA Au=DSS RSA Enc=Camellia(256128) Mac=SHA1SHA256 0x00,0x44 - DHE-DSS0x41 - CAMELLIA128-SHA SSLv3 Kx=DH RSA Au=DSS RSA Enc=Camellia(128) Mac=SHA1 0x00,0x99 - DHE-DSS0x96 - SEED-SHA SSLv3 Kx=DH RSA Au=DSS RSA Enc=SEED(128) Mac=SHA1 0x00,0x13 - DHE-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
</source>
Rationale:
* You should take a hard look at your infrastructure needs before using this configuration; it is intended for special use cases only, and most servers should use the intermediate configuration instead.
* SSLv3 is enabled to support IE6 WinXP SP2 clients on Windows XPIE.* SHA1 certificates are authorized but only via certificate switching, meaning the server must implement custom logic to provide a SHA1 certs to old clients (such as Windows XP pre-SP3), and SHA256 certs to all others. More information in the "Certificates Switching" section later in this document.
* Most ciphers that are not clearly broken and dangerous to use are supported
* eNULL contains null-encryption ciphers (cleartext)
* EXPORT are legacy weak ciphers that were marked as exportable by US law
* RC4 contains ciphers that use the deprecated RC4 ARCFOUR algorithm
* DES contains ciphers that use the deprecated Data Encryption Standard
* SSLv2 contains all ciphers that were defined in the old version of the SSL standard, now deprecated
* MD5 contains all the ciphers that use the deprecated Message Digest message digest 5 as the hashing algorithm* kDH and kECDH contain static DH/ECDH for key exchange which is rarely used
= Forward Secrecy =
Unfortunately, some widely used clients lack support for ECDHE and must then rely on DHE to provide perfect forward secrecy:
* Android < 3.0.0
* Java < 7
* OpenSSL < 1.0.0
Antispam, confirm
97
edits

Navigation menu