OpenSSL Ciphers

Facebook
Google+
https://www.neblink.net/openssl-ciphers/
Twitter

Yet another article about why my cipher string is better than yours.

(updated: Nov 12, 2018)

There are several very good articles about hardening OpenSSL ciphers. Over the years I’ve combined lessons learned from others, my own research of standards and best practices, and my own real-life experiences to come up with the OpenSSL cipher string that I’ve found works best. My goal with this string is to provide the best security while minimizing the length of the string and not include cipher suites that are unnecessary or would be ignored due to certificate type or browser compatibility. 

The String

AESGCM+EECDH+AES128:AESGCM+EECDH:AESGCM+EDH+AES128:AESGCM+EDH:EECDH+AES128:EECDH+AES:EDH+AES128:EDH+AES:!SHA1:!DSS:!ECDSA:!AESCCM

You can test is on your OpenSSL installation

openssl ciphers -v 'AESGCM+EECDH+AES128:AESGCM+EECDH:AESGCM+EDH+AES128:AESGCM+EDH:EECDH+AES128:EECDH+AES:EDH+AES128:EDH+AES:!SHA1:!DSS:!ECDSA:!AESCCM'

It should result in the following cipher suites in this order:

ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA384
DHE-RSA-AES128-SHA256
DHE-RSA-AES256-SHA256

Prioritization Logic

  • Only PFS cipher suites. ECDHE first, then DHE.
  • AESGCM ciphers are preferred over everything else.
  • AES-128 is preferred to AES-256. AES-256 provides little improvement to security, while AES-128 is faster making it less taxing in virtual server environments and more resistant to timing attacks.
  • SHA1 ciphers are no longer used since it is not support by TLSv1.2.
  • Only use RSA authenticated cipher suites. Most websites use RSA certificates. EC certificate websites are a more complicated setup and not the target of this article.
  • AESCCM was introduced in OpenSSL version 1.1.0. Ideally it would be preferred right after AESGCM, but none of the modern browsers currently use it so we will disable it in keeping with the goal of not presenting ignored ciphers.

Apache

SSLEngine on
SSLProtocol -All +TLSv1.2
SSLHonorCipherOrder On
SSLCipherSuite AESGCM+EECDH+AES128:AESGCM+EECDH:AESGCM+EDH+AES128:AESGCM+EDH:EECDH+AES128:EECDH+AES:EDH+AES128:EDH+AES:!SHA1:!DSS:!ECDSA:!AESCCM

Nginx

ssl_prefer_server_ciphers On;
ssl_protocols TLSv1.2;
ssl_ciphers AESGCM+EECDH+AES128:AESGCM+EECDH:AESGCM+EDH+AES128:AESGCM+EDH:EECDH+AES128:EECDH+AES:EDH+AES128:EDH+AES:!SHA1:!DSS:!ECDSA:!AESCCM;

more to come…

Facebook
Google+
https://www.neblink.net/openssl-ciphers/
Twitter