Jump to: navigation, search

Security/Server Side TLS

481 bytes added, 18:07, 30 September 2019
Minor note about IE11 on Windows 2008R2
** All cipher suites are [ forward secret] and [ authenticated]
** TLS 1.2 is the minimum supported protocol, as recommended by [ RFC 7525], PCI DSS, and others
** ECDSA certificates are recommended over RSA certificates, as they allow the use of ECDHE with Windows 7 clients using Internet Explorer 11, as well as allow connections from IE11 on Windows Server 2008 R2
** The cipher suites are all strong and so we allow the client to choose, as they will know best if they have support for hardware-accelerated AES
** Windows XP (including all embedded versions) are no longer supported by Microsoft, eliminating the need for many older protocols and ciphers
** Administrators needing to provide access to [ IE 11 on Windows Server 2008 R2] and who are unable to switch to or add ECDSA certificates can add <tt>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</tt>
** While the goal is to support a broad range of clients, we reasonably disable a number of ciphers that have little support (such as ARIA, Camellia, 3DES, and SEED)
** 90 days is the recommended maximum certificate lifespan, to encourage certificate issuance automation
! Editor
! Changes
| style="text-align: center;" | 5.0.1
| style="text-align: center;" | April King
| Add note about IE 11 on Windows Server 2008 R2
| style="text-align: center;" | 5.0
Antispam, confirm

Navigation menu