Changes

Jump to: navigation, search

Security/Server Side TLS

690 bytes added, 22:47, 16 May 2023
Update to commit 7a81eec5519983e1408cafe4936b4f85ae6a0997
* Cipher preference: '''client chooses'''
<!-- This tabular openssl list can be produced by running "openssl ciphers -V" -->
<source>
0x13,0x01 - TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD
* Cipher suites (TLS 1.3): '''TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256'''
* Cipher suites (TLS 1.2): '''ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305'''
* Protocols: '''TLS 1.2, TLS 1.3'''
* TLS curves: '''X25519, prime256v1, secp384r1'''
* Cipher preference: '''client chooses'''
<!-- This tabular openssl list can be produced by running "openssl ciphers -V" -->
<source>
0x13,0x01 - TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD
0x00,0x9E - DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD
0x00,0x9F - DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD
0xCC,0xAA - DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
</source>
* Cipher preference: '''server chooses'''
<!-- This tabular openssl list can be produced by running "openssl ciphers -V" -->
<source>
0x13,0x01 - TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD
= JSON version of the recommendations =
<p style="max-width: 60em;">Mozilla also maintains [https://ssl-config.mozilla.org/guidelines/5.67.json these recommendations] in JSON format, for automated system configuration. This location is versioned and permanent, and can be referenced in scripts and tools. The file will not change, to avoid breaking tools when we update the recommendations.</p>
<p style="max-width: 60em;">We also maintain a [https://ssl-config.mozilla.org/guidelines/latest.json rolling version] of these recommendations, with the caveat that they may change '''without warning''' and '''without providing backwards compatibility'''. As it may break things if you use it to automatically configure your servers without review, we recommend you use the [https://ssl-config.mozilla.org/guidelines/5.67.json version-specific file] instead.</p>
= Version History =
! Editor
! Changes
|-
| style="text-align: center;" | 5.7
| style="text-align: center;" | Gene Wood
| Add DHE-RSA-CHACHA20-POLY1305 cipher to the Intermediate configuration
|-
| style="text-align: center;" | 5.6
| style="text-align: center;" | April King
| Fixed incorrect cipher ordering for the Intermediate configuration
|-
| style="text-align: center;" | 5.5
Confirm
107
edits

Navigation menu