MozillaWiki

Security/Server Side TLS: Difference between revisions

Page Discussion

Security/Server Side TLS (view source)

Revision as of 17:25, 20 January 2025

1,540 bytes added ,  20 January
m
Deploying https://github.com/mozilla/server-side-tls/pull/296
m (Rollback to using statics, now that the file has been deployed.)
m (Deploying https://github.com/mozilla/server-side-tls/pull/296)
 
(7 intermediate revisions by 3 users not shown)
Line 71: Line 71:
|}
|}


<p style="max-width: 60em;">The ordering of cipher suites in the <span style="color: orange; font-weight: bold;">Intermediate</span> and <span style="color: gray; font-weight: bold;">Old</span> configurations is very important, as it determines the priority with which algorithms are selected.</p>
<p style="max-width: 60em;">The ordering of cipher suites in the <span style="color: gray; font-weight: bold;">Old</span> configuration is very important, as it determines the priority with which algorithms are selected.</p>


<p style="max-width: 60em;">OpenSSL will ignore cipher suites it doesn't understand, so always use the full set of cipher suites below, in their recommended order. The use of the <span style="color: gray; font-weight: bold;">Old</span> configuration with modern versions of OpenSSL may require custom builds with support for deprecated ciphers.</p>
<p style="max-width: 60em;">OpenSSL will ignore cipher suites it doesn't understand, so always use the full set of cipher suites below, in their recommended order. The use of the <span style="color: gray; font-weight: bold;">Old</span> configuration with modern versions of OpenSSL may require custom builds with support for deprecated ciphers.</p>
<p style="max-width: 60em;">Different libraries support different cipher suites and refer to them by different names. Mozilla maintains a list of [[Security/Cipher Suites|all known cipher suites]] and their corresponding names.</p>
<br style="clear: right;">
<br style="clear: right;">


Line 85: Line 87:
* TLS curves: '''X25519, prime256v1, secp384r1'''
* TLS curves: '''X25519, prime256v1, secp384r1'''
* HSTS: '''max-age=63072000''' (two years)
* HSTS: '''max-age=63072000''' (two years)
* Maximum certificate lifespan: '''90 days'''
* Certificate lifespan: '''90 days'''
* Cipher preference: '''client chooses'''
* Cipher preference: '''client chooses'''


<source>
<!-- This tabular openssl list can be produced by running "openssl ciphers -V" -->
<pre>
0x13,0x01  -  TLS_AES_128_GCM_SHA256        TLSv1.3  Kx=any  Au=any  Enc=AESGCM(128)            Mac=AEAD
0x13,0x01  -  TLS_AES_128_GCM_SHA256        TLSv1.3  Kx=any  Au=any  Enc=AESGCM(128)            Mac=AEAD
0x13,0x02  -  TLS_AES_256_GCM_SHA384        TLSv1.3  Kx=any  Au=any  Enc=AESGCM(256)            Mac=AEAD
0x13,0x02  -  TLS_AES_256_GCM_SHA384        TLSv1.3  Kx=any  Au=any  Enc=AESGCM(256)            Mac=AEAD
0x13,0x03  -  TLS_CHACHA20_POLY1305_SHA256  TLSv1.3  Kx=any  Au=any  Enc=CHACHA20/POLY1305(256)  Mac=AEAD
0x13,0x03  -  TLS_CHACHA20_POLY1305_SHA256  TLSv1.3  Kx=any  Au=any  Enc=CHACHA20/POLY1305(256)  Mac=AEAD
</source>
</pre>


* Rationale:
* Rationale:
** All cipher suites are [https://en.wikipedia.org/wiki/Forward_secrecy forward secret] and [https://en.wikipedia.org/wiki/Authenticated_encryption authenticated]
** All cipher suites are [https://en.wikipedia.org/wiki/Forward_secrecy forward secret] and [https://en.wikipedia.org/wiki/Authenticated_encryption authenticated]
** The cipher suites are all strong and so we allow the client to choose, as they will know best if they have support for hardware-accelerated AES
** The cipher suites are all strong and so we allow the client to choose, as they will know best if they have support for hardware-accelerated AES
** We recommend ECDSA certificates using P-256, as P-384 provides negligable improvements to security and Ed25519 is not yet widely supported
** We recommend ECDSA certificates using P-256, as P-384 provides negligible improvements to security and Ed25519 is not yet widely supported


== <span style="color:orange;">'''Intermediate'''</span> compatibility (recommended) ==
== <span style="color:orange;">'''Intermediate'''</span> compatibility (recommended) ==
<p style="max-width: 60em;">For services that don't need compatibility with legacy clients, such as Windows XP or old versions of OpenSSL. This is the recommended configuration for the vast majority of services, as it is highly secure and compatible with nearly every client released in the last five (or more) years.</p>
<p style="max-width: 60em;">For services that don't need compatibility with legacy clients such as Windows XP or old versions of OpenSSL. This is the recommended configuration for the vast majority of services, as it is highly secure and compatible with nearly every client released in the last five (or more) years.</p>


* Cipher suites (TLS 1.3): '''TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256'''
* Cipher suites (TLS 1.3): '''TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256'''
* Cipher suites (TLS 1.2): '''ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'''
* Cipher suites (TLS 1.2): '''ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305'''
* Protocols: '''TLS 1.2, TLS 1.3'''
* Protocols: '''TLS 1.2, TLS 1.3'''
* TLS curves: '''X25519, prime256v1, secp384r1'''
* TLS curves: '''X25519, prime256v1, secp384r1'''
Line 109: Line 112:
* DH parameter size: '''2048''' (ffdhe2048, [https://tools.ietf.org/html/rfc7919#appendix-A.1 RFC 7919])
* DH parameter size: '''2048''' (ffdhe2048, [https://tools.ietf.org/html/rfc7919#appendix-A.1 RFC 7919])
* HSTS: '''max-age=63072000''' (two years)
* HSTS: '''max-age=63072000''' (two years)
* Maximum certificate lifespan: '''90 days''' (recommended) to '''2 years'''
* Certificate lifespan: '''90 days''' (recommended) to '''366 days'''
* Cipher preference: '''client chooses'''
* Cipher preference: '''client chooses'''


<source>
<!-- This tabular openssl list can be produced by running "openssl ciphers -V" -->
<pre>
0x13,0x01  -  TLS_AES_128_GCM_SHA256        TLSv1.3  Kx=any  Au=any    Enc=AESGCM(128)            Mac=AEAD
0x13,0x01  -  TLS_AES_128_GCM_SHA256        TLSv1.3  Kx=any  Au=any    Enc=AESGCM(128)            Mac=AEAD
0x13,0x02  -  TLS_AES_256_GCM_SHA384        TLSv1.3  Kx=any  Au=any    Enc=AESGCM(256)            Mac=AEAD
0x13,0x02  -  TLS_AES_256_GCM_SHA384        TLSv1.3  Kx=any  Au=any    Enc=AESGCM(256)            Mac=AEAD
Line 124: Line 128:
0x00,0x9E  -  DHE-RSA-AES128-GCM-SHA256      TLSv1.2  Kx=DH    Au=RSA    Enc=AESGCM(128)            Mac=AEAD
0x00,0x9E  -  DHE-RSA-AES128-GCM-SHA256      TLSv1.2  Kx=DH    Au=RSA    Enc=AESGCM(128)            Mac=AEAD
0x00,0x9F  -  DHE-RSA-AES256-GCM-SHA384      TLSv1.2  Kx=DH    Au=RSA    Enc=AESGCM(256)            Mac=AEAD
0x00,0x9F  -  DHE-RSA-AES256-GCM-SHA384      TLSv1.2  Kx=DH    Au=RSA    Enc=AESGCM(256)            Mac=AEAD
</source>
0xCC,0xAA  -  DHE-RSA-CHACHA20-POLY1305      TLSv1.2  Kx=DH    Au=RSA    Enc=CHACHA20/POLY1305(256)  Mac=AEAD
</pre>


* Rationale:
* Rationale:
** All cipher suites are [https://en.wikipedia.org/wiki/Forward_secrecy forward secret] and [https://en.wikipedia.org/wiki/Authenticated_encryption authenticated]
** All cipher suites are [https://en.wikipedia.org/wiki/Forward_secrecy forward secret] and [https://en.wikipedia.org/wiki/Authenticated_encryption authenticated]
** TLS 1.2 is the minimum supported protocol, as recommended by [https://tools.ietf.org/html/rfc7525#section-3.1.1 RFC 7525], PCI DSS, and others
** TLS 1.2 is the minimum supported protocol, as recommended by [https://tools.ietf.org/html/rfc7525#section-3.1.1 RFC 7525], PCI DSS, and others
** ECDSA certificates are recommended over RSA certificates, as they allow the use of ECDHE with Windows 7 clients using Internet Explorer 11
** ECDSA certificates are recommended over RSA certificates, as they allow the use of ECDHE with Windows 7 clients using Internet Explorer 11, as well as allow connections from IE11 on Windows Server 2008 R2
** The cipher suites are all strong and so we allow the client to choose, as they will know best if they have support for hardware-accelerated AES
** The cipher suites are all strong and so we allow the client to choose, as they will know best if they have support for hardware-accelerated AES
** Windows XP (including all embedded versions) are no longer supported by Microsoft, eliminating the need for many older protocols and ciphers
** Windows XP (including all embedded versions) are no longer supported by Microsoft, eliminating the need for many older protocols and ciphers
** Administrators needing to provide access to [https://www.ssllabs.com/ssltest/viewClient.html?name=IE&version=11&platform=Win%207&key=36 IE 11 on Windows Server 2008 R2] and who are unable to switch to or add ECDSA certificates can add <tt>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</tt>
** While the goal is to support a broad range of clients, we reasonably disable a number of ciphers that have little support (such as ARIA, Camellia, 3DES, and SEED)
** While the goal is to support a broad range of clients, we reasonably disable a number of ciphers that have little support (such as ARIA, Camellia, 3DES, and SEED)
** 90 days is the recommended maximum certificate lifespan, to encourage certificate issuance automation
** 90 days is the recommended maximum certificate lifespan, to encourage certificate issuance automation
Line 147: Line 153:
* DH parameter size: '''1024''' (generated with <tt>openssl dhparam 1024</tt>)
* DH parameter size: '''1024''' (generated with <tt>openssl dhparam 1024</tt>)
* HSTS: '''max-age=63072000''' (two years)
* HSTS: '''max-age=63072000''' (two years)
* Maximum certificate lifespan: '''90 days''' (recommended) to '''2 years'''
* Certificate lifespan: '''90 days''' (recommended) to '''366 days'''
* Cipher preference: '''server chooses'''
* Cipher preference: '''server chooses'''


<source>
<!-- This tabular openssl list can be produced by running "openssl ciphers -V" -->
<pre>
0x13,0x01  -  TLS_AES_128_GCM_SHA256        TLSv1.3  Kx=any  Au=any    Enc=AESGCM(128)            Mac=AEAD
0x13,0x01  -  TLS_AES_128_GCM_SHA256        TLSv1.3  Kx=any  Au=any    Enc=AESGCM(128)            Mac=AEAD
0x13,0x02  -  TLS_AES_256_GCM_SHA384        TLSv1.3  Kx=any  Au=any    Enc=AESGCM(256)            Mac=AEAD
0x13,0x02  -  TLS_AES_256_GCM_SHA384        TLSv1.3  Kx=any  Au=any    Enc=AESGCM(256)            Mac=AEAD
Line 180: Line 187:
0x00,0x35  -  AES256-SHA                    SSLv3    Kx=RSA  Au=RSA    Enc=AES(256)                Mac=SHA1
0x00,0x35  -  AES256-SHA                    SSLv3    Kx=RSA  Au=RSA    Enc=AES(256)                Mac=SHA1
0x00,0x0A  -  DES-CBC3-SHA                  SSLv3    Kx=RSA  Au=RSA    Enc=3DES(168)              Mac=SHA1
0x00,0x0A  -  DES-CBC3-SHA                  SSLv3    Kx=RSA  Au=RSA    Enc=3DES(168)              Mac=SHA1
</source>
</pre>


* Rationale:
* Rationale:
Line 191: Line 198:
= JSON version of the recommendations =
= JSON version of the recommendations =


<p style="max-width: 60em;">Mozilla also maintains [https://statics.tls.security.mozilla.org/server-side-tls-conf-5.0.json these recommendations] in JSON format, for automated system configuration. This location is versioned and permanent, and can be referenced in scripts and tools. The file will not change, to avoid breaking tools when we update the recommendations.</p>
<p style="max-width: 60em;">Mozilla also maintains [https://ssl-config.mozilla.org/guidelines/5.7.json these recommendations] in JSON format, for automated system configuration. This location is versioned and permanent, and can be referenced in scripts and tools. The file will not change, to avoid breaking tools when we update the recommendations.</p>


<p style="max-width: 60em;">We also maintain a [https://statics.tls.security.mozilla.org/server-side-tls-conf.json rolling version] of these recommendations, with the caveat that they may change '''without warning''' and '''without providing backwards compatibility'''. As it may break things if you use it to automatically configure your servers without review, we recommend you use the [https://statics.tls.security.mozilla.org/server-side-tls-conf-5.0.json version-specific file] instead.</p>
<p style="max-width: 60em;">We also maintain a [https://ssl-config.mozilla.org/guidelines/latest.json rolling version] of these recommendations, with the caveat that they may change '''without warning''' and '''without providing backwards compatibility'''. As it may break things if you use it to automatically configure your servers without review, we recommend you use the [https://ssl-config.mozilla.org/guidelines/5.7.json version-specific file] instead.</p>


= Version History =
= Version History =
Line 201: Line 208:
! Editor
! Editor
! Changes
! Changes
|-
| style="text-align: center;" | 5.7
| style="text-align: center;" | Gene Wood
| Add DHE-RSA-CHACHA20-POLY1305 cipher to the Intermediate configuration
|-
| style="text-align: center;" | 5.6
| style="text-align: center;" | April King
| Fixed incorrect cipher ordering for the Intermediate configuration
|-
| style="text-align: center;" | 5.5
| style="text-align: center;" | April King
| Update certificate lifespan to reflect browser policy changes
|-
| style="text-align: center;" | 5.3
| style="text-align: center;" | April King
| Bump links to point to 5.3 guidelines, since it fixes a small JSON error
|-
| style="text-align: center;" | 5.0.1
| style="text-align: center;" | April King
| Add note about IE 11 on Windows Server 2008 R2
|-
|-
| style="text-align: center;" | 5.0
| style="text-align: center;" | 5.0
Gene wood
Confirmed users
112

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/1214405...1253188"