This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "TLS Cipher String Cheat Sheet"

From OWASP
Jump to: navigation, search
(Translated up to At a glance: Hardening of other parts of the configuration of TLS/SSL for web servers : Set reasonable HTML Tags <!--- TBD TBD ---->)
m (Point to the official site)
 
(17 intermediate revisions by 5 users not shown)
Line 2: Line 2:
 
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div>
 
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div>
  
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
+
The Cheat Sheet Series project has been moved to [https://github.com/OWASP/CheatSheetSeries GitHub]!
  
{{taggedSection
+
Please visit [https://cheatsheetseries.owasp.org/cheatsheets/TLS_Cipher_String_Cheat_Sheet.html TLS Cipher String Cheat Sheet] to see the latest version of the cheat sheet.
    | type=tbd
 
    | comment=This page is going to be a new Cheet Sheet, soon.
 
}}
 
 
 
= Introduction  =
 
__TOC__{{TOC hidden}}
 
 
 
This article is focused on providing clear and simple examples for the cipher string. They are based on different scenarios where you use the Transport Layer Security (TLS) protocol.
 
 
 
=Recommendations for a cipher string=
 
==Secenarios==
 
The cipher strings are based on the recommendation to setup your policy to get a whitelist for yours ciphers as described in [[Transport_Layer_Protection_Cheat_Sheet#Rule_-_Only_Support_Strong_Cryptographic_Ciphers|the Transport Layer Protection Cheat Sheet (Rule - Only Support Strong Cryptographic Ciphers)]]. The recommened cipher strings are based on the different scenarios:
 
* <b>OWASP Cipher String 'A+'</b> (Advanced+, limited compatibility, e.g. to more recent browser versions)
 
:* Recommended if you control the server and the clients (e.g. by approvement) and if you check the compatibility before using it
 
:* Includes solely the strongest perfect forward secrecy (PFS) ciphers
 
:* Protocol: TLSv1.2 (and above)
 
* <b>OWASP Cipher String 'A'</b> (Advanced, wider compatibility, e.g. to most newer browser versions)
 
:* Recommended if you control the server and the clients (e.g. by approvement) if the 'A+' string does not work, make sure to check the compatibility before using it
 
:* includes solely the stronger PFS ciphers
 
:* Protocol: TLSv1.2 (and above)
 
* <b>OWASP Cipher String 'B'</b> (Broad compatibility)
 
:* Recommended if you solely control the server and the clients use their browsers
 
:* Includes solely PFS ciphers
 
:* Be aware of additional risks and of new vulnerabilities that may appear are more likely than above
 
:* Plan to phase out SHA-1 and TLSv1/TLSv1.1 for https in middle-term 
 
:* Protocol: TLSv1.0/better TLSv1.1 (and above)
 
* <b>OWASP Cipher String 'C'</b> (Widest Compatibility, compatibility to most legacy browsers, legacy libraries (still patched) and other application protocols besides https , e.g. IMAPS)
 
:* You may use this if you solely control the server and your clients use elder browsers and other elder libraries or if you use other protocols than https
 
:* Be aware of the existing risks and of new vulnerabilities that may appear more likely
 
:* PFS ciphers are preferred, except DHE with SHA-1 (to prevent possible incompatibility issues)
 
:* Plan to move to 'A' for https or at least 'B' otherwise in middle-term 
 
:* Protocol: TLSv1.0 (and above)
 
* <b>OWASP Cipher String 'C-'</b> (Legacy, widest compatibility to real old browsers and legacy libraries and other application protocols like SMTP)
 
:* Take care, use this cipher string only if you are forced to support DES (=TLS_RSA_WITH_3DES_EDE_CBC_SHA, =DES-CBC3-SHA) for real old clients with very old libraries or old libraries for other protocols besides https
 
:* Be aware of the existing risks (e.g. ciphers without PFS or with 3DES) and of new vulnerabilities that may appear the most likely
 
:* PFS ciphers are preferred, except DHE with SHA-1 (to prevent possible incompatibility issues)
 
:* plan to move at leastr to 'C' in a short-term 
 
:* Protocol: TLSv1.0 (and above)
 
 
 
==Table of the ciphers (and their priority high: 1.. up to 19 (low))==
 
{| border="1" cellspacing="1" cellpadding="1" style="border-collapse:collapse; text-align: center; font-size:84%;"
 
|- style="font-size: 119%; background-color:#DCDCDC;"
 
! style="text-align:left;" |Cipher-Name: <br> IANA, [openssl]
 
! style="width: 8%;" | Cipher-Hex-Wert
 
! style="width:11%;" | Advanced+ (A+)
 
! style="width:11%;" | Advanced (A)
 
! style="width:11%;" | Broad <br> Compatibility (B)
 
! style="width:11%;" | Widest <br> Compatibility (C)
 
! style="width:11%;" | Legacy (C-)
 
|- style="background-color:#B9FFC5;"
 
<!---                    | IANA,                                  <br> [openssl]                    || Hex      || A+ ||  A ||  B ||  C ||  C- ---->
 
| style="text-align:left" | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,  <br> [DHE-RSA-AES256-GCM-SHA384]  || 0x009f  ||  1 ||  1 ||  1 ||  1 ||  1
 
|- style="background-color:#B9FFC5;"
 
| style="text-align:left" | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,  <br> [DHE-RSA-AES128-GCM-SHA256]  || 0x009e  ||  2 ||  2 ||  2 ||  2 ||  2
 
|- style="background-color:#B9FFC5;"
 
| style="text-align:left" | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, <br> [ECDHE-RSA-AES256-GCM-SHA384] || 0xc030  ||  3 ||  3 ||  3 ||  3 ||  3
 
|- style="background-color:#B9FFC5;"
 
| style="text-align:left" | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, <br> [ECDHE-RSA-AES128-GCM-SHA256] || 0xc02f  ||  4 ||  4 ||  4 ||  4 ||  4
 
|- style="background-color:#E3FFE3;"
 
| style="text-align:left" | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,  <br> [DHE-RSA-AES256-SHA256]      || 0x006b  ||    ||  5 ||  5 ||  5 ||  5
 
|- style="background-color:#E3FFE3;"
 
| style="text-align:left" | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,  <br> [DHE-RSA-AES128-SHA256]      || 0x0067  ||    ||  6 ||  6 ||  6 ||  6
 
|- style="background-color:#E3FFE3;"
 
| style="text-align:left" | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, <br> [ECDHE-RSA-AES256-SHA384]    || 0xc028  ||    ||  7 ||  7 ||  7 ||  7
 
|- style="background-color:#E3FFE3;"
 
| style="text-align:left" | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, <br> [ECDHE-RSA-AES128-SHA256]    || 0xc027  ||    ||  8 ||  8 ||  8 ||  8
 
|-
 
| style="text-align:left" | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,    <br> [ECDHE-RSA-AES256-SHA]        || 0xc014  ||    ||    ||  9 ||  9 ||  9
 
|-
 
| style="text-align:left" | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,    <br> [ECDHE-RSA-AES128-SHA]        || 0xc013  ||    ||    || 10 || 10 || 10
 
|- style="background-color:#F4F6F8;"
 
| style="text-align:left" | TLS_RSA_WITH_AES_256_GCM_SHA384,      <br> [AES256-GCM-SHA384]          || 0x009d  ||    ||    ||    || 11 || 11
 
|- style="background-color:#F4F6F8;"
 
| style="text-align:left" | TLS_RSA_WITH_AES_128_GCM_SHA256,      <br> [AES128-GCM-SHA256]          || 0x009c  ||    ||    ||    || 12 || 12
 
|- style="background-color:#F4F6F8;"
 
| style="text-align:left" | TLS_RSA_WITH_AES_256_CBC_SHA256,      <br> [AES256-SHA256]              || 0x003d  ||    ||    ||    || 13 || 13
 
|-  style="background-color:#F4F6F8;"
 
| style="text-align:left" | TLS_RSA_WITH_AES_128_CBC_SHA256,      <br> [AES128-SHA256]              || 0x003c  ||    ||    ||    || 14 || 14
 
|- style="background-color:#F4F6F8;"
 
| style="text-align:left" | TLS_RSA_WITH_AES_256_CBC_SHA,          <br> [AES256-SHA]                  || 0x0035  ||    ||    ||    || 15 || 15
 
|- style="background-color:#F4F6F8;"
 
| style="text-align:left" | TLS_RSA_WITH_AES_128_CBC_SHA,          <br> [AES128-SHA]                  || 0x002f  ||    ||    ||    || 16 || 16
 
|- style="background-color:#FFFF88;"
 
| style="text-align:left" | TLS_RSA_WITH_3DES_EDE_CBC_SHA,        <br> [DES-CBC3-SHA]                || 0x000a  ||    ||    ||    ||    || 17
 
|-
 
| style="text-align:left" | TLS_DHE_RSA_WITH_AES_256_CBC_SHA,      <br> [DHE-RSA-AES256-SHA]          || 0x0039  ||    ||    || 11 || 17 || 18
 
|-
 
| style="text-align:left" | TLS_DHE_RSA_WITH_AES_128_CBC_SHA,      <br> [DHE-RSA-AES128-SHA]          || 0x0033  ||    ||    || 12 || 18 || 19
 
|}
 
<b>Remarks:</b><br>- Elder versions of Internet-Explorer- and Java do <u>not</u> support Diffie-Hellman parameters >1024 bit. So the ciphers 'TLS_DHE_RSA_WITH_AES_256_CBC_SHA' and 'TLS_DHE_RSA_WITH_AES_128_CBC_SHA' were moved to the end to prevent possible incompatibility issues. Other Option: Do not offer these Ciphers at all.<br/>
 
==Examples for cipher strings==
 
* OpenSSL
 
::{| border="1" cellspacing="1" cellpadding="1" style="border-collapse:collapse; text-align: left; font-size:84%;"
 
|- style="font-size: 119%; background-color:#EAECF0;"
 
!Cipher-String            || OpennSSL-Syntax
 
|- style="background-color:#B9FFC5;"
 
| style="font-size: 119%;"| <b>Advanced+ (A+)</b>          || DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256
 
|- style="background-color:#E3FFE3;"
 
| style="font-size: 119%;"| <b>Advanced (A)</b>            || DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256
 
|-
 
| style="font-size: 119%;"| <b>Broad Compatibility (B)</b>  || DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA
 
|- style="background-color:#F4F6F8;"
 
| style="font-size: 119%;"| <b>Widest Compatibility (C)</b> || DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA
 
|- style="background-color:#FFFF88;"
 
| style="font-size: 119%;"| <b>Legacy (C-)</b>              || DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA
 
|}
 
= At a glance: Hardening of other parts of the configuration of TLS/SSL for web servers =
 
* use solely secure and server initiated renegotiation
 
* Disable Compression
 
* Check the configuration for all virtual Hosts
 
* If you use Server Name Indication (SNI), verify which virtual server is your default server. Ancient browsers, OSs or runtime environments without SNI support can only reach this server
 
* Use only the TLS/SSL extensions that you really need, e.g. deactivate haert beat (see [http://heartbleed.com Heartbleed]), do not activate insecure or untested drafts for extensions e.g. additional random, opaque PRF input (see. [http://dualec.org/DualECTLS.pdf DualECTLS])
 
* Set reasonable HTML Tags <!----------------- TBD TBD ---------------->
 
 
 
=Example configs=
 
==Apache==
 
* Cipher String 'A':
 
{{Top_10_2010:ExampleBeginTemplate|year=2013}}
 
SSLProtocol +TLSv1.2 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;# for Cipher-String 'A+', 'A'<br>
 
<nowiki>#</nowiki>SSLProtocol +TLSv1.2 +TLSv1.1 +TLSv1 # for Cipher-String 'B', 'C', 'C-'<br>
 
SSLCompression off <br>
 
SSLHonorCipherOrder on <br>
 
SSLCipherSuite 'DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256'<br>
 
<nowiki>#</nowiki>add optionally ':!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:!ADH:!IDEA:!3DES'
 
{{Top_10_2010:ExampleEndTemplate}}
 
<b>Anmerkungen:</b> - Der Cipher-String mit den SSL-Cipher-Suites wurde als Whitelist formuliert, um die serverseitige Kompatibilität mit alten Versionen von OpenSSL zu erhöhen.<br/>
 
- Überwachen Sie die Performance Ihres Servers, der Verbindungsaufbau mit DHE ist ca. 2,4 Mal CPU-intensiver als mit ECDHE (vgl [http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html#some-benchmarks <nowiki>[Vincent Bernat, 2011]</nowiki>], [http://nmav.gnutls.org/2011/12/price-to-pay-for-perfect-forward.html <nowiki>[nmav's Blog, 2011]</nowiki>])<br/>
 
 
 
* Prüfen der Cipher-Einstellungen mittels openssl, z.B. Cipher-String 'A':
 
{{Top_10_2010:ExampleBeginTemplate|year=2013}}
 
openssl ciphers -V "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256"<br>
 
<nowiki>#</nowiki>add optionally ':!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:!ADH:!IDEA' to protect older Versions of OpenSSL<br>
 
<nowiki>#</nowiki>use openssl ciphers -v "..." for openssl < 1.0.1:
 
<small>
 
0x00,0x9F - DHE-RSA-AES256-GCM-SHA384  TLSv1.2 Kx=DH    Au=RSA  Enc=AESGCM(256) Mac=AEAD
 
0x00,0x9E - DHE-RSA-AES128-GCM-SHA256  TLSv1.2 Kx=DH    Au=RSA  Enc=AESGCM(128) Mac=AEAD
 
0xC0,0x30 - ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH  Au=RSA  Enc=AESGCM(256) Mac=AEAD
 
0xC0,0x2F - ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH  Au=RSA  Enc=AESGCM(128) Mac=AEAD
 
0x00,0x6B - DHE-RSA-AES256-SHA256      TLSv1.2 Kx=DH    Au=RSA  Enc=AES(256)    Mac=SHA256
 
0x00,0x67 - DHE-RSA-AES128-SHA256      TLSv1.2 Kx=DH    Au=RSA  Enc=AES(128)    Mac=SHA256
 
0xC0,0x28 - ECDHE-RSA-AES256-SHA384    TLSv1.2 Kx=ECDH  Au=RSA  Enc=AES(256)    Mac=SHA384
 
0xC0,0x27 - ECDHE-RSA-AES128-SHA256    TLSv1.2 Kx=ECDH  Au=RSA  Enc=AES(128)    Mac=SHA256
 
</small>
 
{{Top_10_2010:ExampleEndTemplate}}
 
<b>CAUTION</b>: You need a newer version of OpenSSL to use this cipher string!<br/>
 
 
 
<br/><br/>
 
 
 
=Related Articles=
 
 
 
* "Transport Layer Protection Cheat Sheet" - [[Transport Layer Protection Cheat Sheet]]
 
 
 
<br/><br/>
 
 
 
= Authors and Primary Editors  =
 
{{Template:Contact | name = Torsten Gigler | email [email protected] | username = T.Gigler}}<br/>
 
{{Template:Contact | name = Achim Hoffmann | email [email protected] | username = Achim}}<br/>
 
 
 
<br/>
 
== Other Cheatsheets ==
 
 
 
{{Cheatsheet_Navigation_Body}}
 
 
 
<!-----[[Category:Cheatsheets]]
 
[[Category:OWASP Best Practices]] ----->
 

Latest revision as of 14:47, 15 July 2019

Cheatsheets-header.jpg

The Cheat Sheet Series project has been moved to GitHub!

Please visit TLS Cipher String Cheat Sheet to see the latest version of the cheat sheet.