|
|
(15 intermediate revisions by 5 users not shown) |
Line 2: |
Line 2: |
| <div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div> | | <div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div> |
| | | |
− | Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
| + | The Cheat Sheet Series project has been moved to [https://github.com/OWASP/CheatSheetSeries GitHub]! |
| | | |
− | {{taggedSection
| + | Please visit [https://cheatsheetseries.owasp.org/cheatsheets/TLS_Cipher_String_Cheat_Sheet.html TLS Cipher String Cheat Sheet] to see the latest version of the cheat sheet. |
− | | type=tbd
| |
− | | comment=This page is going to be a new Cheet Sheet, soon.
| |
− | }}
| |
− | | |
− | = Introduction =
| |
− | __TOC__{{TOC hidden}}
| |
− | | |
− | This article is focused on providing clear and simple examples for the cipher string. They are based on different scenarios where you use the Transport Layer Security (TLS) protocol.
| |
− | | |
− | =Recommendations for a cipher string=
| |
− | ==Secenarios==
| |
− | The cipher strings are based on the recommendation to setup your policy to get a whitelist for yours ciphers as described in [[Transport_Layer_Protection_Cheat_Sheet#Rule_-_Only_Support_Strong_Cryptographic_Ciphers|the Transport Layer Protection Cheat Sheet (Rule - Only Support Strong Cryptographic Ciphers)]]. The recommened cipher strings are based on the different scenarios:
| |
− | * <b>OWASP Cipher String 'A+'</b> (Advanced+, limited compatibility, e.g. to more recent browser versions)
| |
− | :* Recommended if you control the server and the clients (e.g. by approvement) and if you check the compatibility before using it
| |
− | :* Includes solely the strongest perfect forward secrecy (PFS) ciphers
| |
− | :* Protocol: TLSv1.2 (and above)
| |
− | * <b>OWASP Cipher String 'A'</b> (Advanced, wider compatibility, e.g. to most newer browser versions)
| |
− | :* Recommended if you control the server and the clients (e.g. by approvement) if the 'A+' string does not work, make sure to check the compatibility before using it
| |
− | :* includes solely the stronger PFS ciphers
| |
− | :* Protocol: TLSv1.2 (and above)
| |
− | * <b>OWASP Cipher String 'B'</b> (Broad compatibility to browsers, check the compatibility to other protocols before using it, e.g. IMAPS)
| |
− | :* Recommended if you solely control the server and the clients use their browsers and if you check the compatibility before using it for other protocols than https
| |
− | :* Includes solely PFS ciphers
| |
− | :* Be aware of additional risks and of new vulnerabilities that may appear are more likely than above
| |
− | :* Plan to phase out SHA-1 and TLSv1/TLSv1.1 for https in middle-term
| |
− | :* Protocol: TLSv1.0/better TLSv1.1 (and above)
| |
− | * <b>OWASP Cipher String 'C'</b> (Widest Compatibility, compatibility to most legacy browsers, legacy libraries (still patched) and other application protocols besides https, e.g. IMAPS)
| |
− | :* You may use this if you solely control the server and your clients use elder browsers and other elder libraries or if you use other protocols than https
| |
− | :* Be aware of the existing risks and of new vulnerabilities that may appear more likely
| |
− | :* PFS ciphers are preferred, except DHE with SHA-1 (to prevent possible incompatibility issues)
| |
− | :* Plan to move to 'A' for https or at least 'B' otherwise in middle-term
| |
− | :* Protocol: TLSv1.0 (and above)
| |
− | * <b>OWASP Cipher String 'C-'</b> (Legacy, widest compatibility to real old browsers and legacy libraries and other application protocols like SMTP)
| |
− | :* Take care, use this cipher string only if you are forced to support DES (=TLS_RSA_WITH_3DES_EDE_CBC_SHA, =DES-CBC3-SHA) for real old clients with very old libraries or old libraries for other protocols besides https
| |
− | :* Be aware of the existing risks (e.g. ciphers without PFS or with 3DES) and of new vulnerabilities that may appear the most likely
| |
− | :* PFS ciphers are preferred, except DHE with SHA-1 (to prevent possible incompatibility issues)
| |
− | :* Plan to move at least to 'C' in a short-term
| |
− | :* Protocol: TLSv1.0 (and above)
| |
− | | |
− | ==Table of the ciphers (and their priority high: 1.. up to 19 (low))==
| |
− | {| border="1" cellspacing="1" cellpadding="1" style="border-collapse:collapse; text-align: center; font-size:84%;"
| |
− | |- style="font-size: 119%; background-color:#DCDCDC;"
| |
− | ! style="text-align:left;" |Cipher-Name: <br> IANA, [openssl]
| |
− | ! style="width: 8%;" | Cipher-Hex-Wert
| |
− | ! style="width:11%;" | Advanced+ (A+)
| |
− | ! style="width:11%;" | Advanced (A)
| |
− | ! style="width:11%;" | Broad <br> Compatibility (B)
| |
− | ! style="width:11%;" | Widest <br> Compatibility (C)
| |
− | ! style="width:11%;" | Legacy (C-)
| |
− | |- style="background-color:#B9FFC5;"
| |
− | <!--- | IANA, <br> [openssl] || Hex || A+ || A || B || C || C- ---->
| |
− | | style="text-align:left" | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, <br> [DHE-RSA-AES256-GCM-SHA384] || 0x009f || 1 || 1 || 1 || 1 || 1
| |
− | |- style="background-color:#B9FFC5;"
| |
− | | style="text-align:left" | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, <br> [DHE-RSA-AES128-GCM-SHA256] || 0x009e || 2 || 2 || 2 || 2 || 2
| |
− | |- style="background-color:#B9FFC5;"
| |
− | | style="text-align:left" | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, <br> [ECDHE-RSA-AES256-GCM-SHA384] || 0xc030 || 3 || 3 || 3 || 3 || 3
| |
− | |- style="background-color:#B9FFC5;"
| |
− | | style="text-align:left" | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, <br> [ECDHE-RSA-AES128-GCM-SHA256] || 0xc02f || 4 || 4 || 4 || 4 || 4
| |
− | |- style="background-color:#E3FFE3;"
| |
− | | style="text-align:left" | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, <br> [DHE-RSA-AES256-SHA256] || 0x006b || || 5 || 5 || 5 || 5
| |
− | |- style="background-color:#E3FFE3;"
| |
− | | style="text-align:left" | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, <br> [DHE-RSA-AES128-SHA256] || 0x0067 || || 6 || 6 || 6 || 6
| |
− | |- style="background-color:#E3FFE3;"
| |
− | | style="text-align:left" | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, <br> [ECDHE-RSA-AES256-SHA384] || 0xc028 || || 7 || 7 || 7 || 7
| |
− | |- style="background-color:#E3FFE3;"
| |
− | | style="text-align:left" | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, <br> [ECDHE-RSA-AES128-SHA256] || 0xc027 || || 8 || 8 || 8 || 8
| |
− | |-
| |
− | | style="text-align:left" | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, <br> [ECDHE-RSA-AES256-SHA] || 0xc014 || || || 9 || 9 || 9
| |
− | |-
| |
− | | style="text-align:left" | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, <br> [ECDHE-RSA-AES128-SHA] || 0xc013 || || || 10 || 10 || 10
| |
− | |- style="background-color:#F4F6F8;"
| |
− | | style="text-align:left" | TLS_RSA_WITH_AES_256_GCM_SHA384, <br> [AES256-GCM-SHA384] || 0x009d || || || || 11 || 11
| |
− | |- style="background-color:#F4F6F8;"
| |
− | | style="text-align:left" | TLS_RSA_WITH_AES_128_GCM_SHA256, <br> [AES128-GCM-SHA256] || 0x009c || || || || 12 || 12
| |
− | |- style="background-color:#F4F6F8;"
| |
− | | style="text-align:left" | TLS_RSA_WITH_AES_256_CBC_SHA256, <br> [AES256-SHA256] || 0x003d || || || || 13 || 13
| |
− | |- style="background-color:#F4F6F8;"
| |
− | | style="text-align:left" | TLS_RSA_WITH_AES_128_CBC_SHA256, <br> [AES128-SHA256] || 0x003c || || || || 14 || 14
| |
− | |- style="background-color:#F4F6F8;"
| |
− | | style="text-align:left" | TLS_RSA_WITH_AES_256_CBC_SHA, <br> [AES256-SHA] || 0x0035 || || || || 15 || 15
| |
− | |- style="background-color:#F4F6F8;"
| |
− | | style="text-align:left" | TLS_RSA_WITH_AES_128_CBC_SHA, <br> [AES128-SHA] || 0x002f || || || || 16 || 16
| |
− | |- style="background-color:#FFFF88;"
| |
− | | style="text-align:left" | TLS_RSA_WITH_3DES_EDE_CBC_SHA, <br> [DES-CBC3-SHA] || 0x000a || || || || || 17
| |
− | |-
| |
− | | style="text-align:left" | TLS_DHE_RSA_WITH_AES_256_CBC_SHA, <br> [DHE-RSA-AES256-SHA] || 0x0039 || || || 11 || 17 || 18
| |
− | |-
| |
− | | style="text-align:left" | TLS_DHE_RSA_WITH_AES_128_CBC_SHA, <br> [DHE-RSA-AES128-SHA] || 0x0033 || || || 12 || 18 || 19
| |
− | |}
| |
− | <b>Remarks:</b><br>- Elder versions of Internet-Explorer- and Java do <u>not</u> support Diffie-Hellman parameters >1024 bit. So the ciphers 'TLS_DHE_RSA_WITH_AES_256_CBC_SHA' and 'TLS_DHE_RSA_WITH_AES_128_CBC_SHA' were moved to the end to prevent possible incompatibility issues. Other Option: Do not offer these Ciphers at all.<br/>
| |
− | ==Examples for cipher strings==
| |
− | * OpenSSL
| |
− | ::{| border="1" cellspacing="1" cellpadding="1" style="border-collapse:collapse; text-align: left; font-size:84%;"
| |
− | |- style="font-size: 119%; background-color:#EAECF0;"
| |
− | !Cipher-String || OpennSSL-Syntax
| |
− | |- style="background-color:#B9FFC5;"
| |
− | | style="font-size: 119%;"| <b>Advanced+ (A+)</b> || DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256
| |
− | |- style="background-color:#E3FFE3;"
| |
− | | style="font-size: 119%;"| <b>Advanced (A)</b> || DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256
| |
− | |-
| |
− | | style="font-size: 119%;"| <b>Broad Compatibility (B)</b> || DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA
| |
− | |- style="background-color:#F4F6F8;"
| |
− | | style="font-size: 119%;"| <b>Widest Compatibility (C)</b> || DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA
| |
− | |- style="background-color:#FFFF88;"
| |
− | | style="font-size: 119%;"| <b>Legacy (C-)</b> || DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA
| |
− | |}
| |
− | = At a glance: Hardening of other parts of the configuration of TLS/SSL for web servers =
| |
− | * Use solely secure and server initiated renegotiation
| |
− | * Disable Compression
| |
− | * Check the configuration for all virtual Hosts
| |
− | * If you use Server Name Indication (SNI), verify which virtual server is your default server. Ancient browsers, OSs or runtime environments without SNI support can only reach this server
| |
− | * Use only the TLS/SSL extensions that you really need, e.g. deactivate haert beat (see [http://heartbleed.com Heartbleed]), do not activate insecure or untested drafts for extensions e.g. additional random, opaque PRF input (see. [http://dualec.org/DualECTLS.pdf DualECTLS])
| |
− | * Set reasonable HTML Tags <!----------------- TBD TBD ---------------->
| |
− | | |
− | =Example configs=
| |
− | ==Apache==
| |
− | * Cipher String 'A':
| |
− | {{Top_10_2010:ExampleBeginTemplate|year=2013}}
| |
− | SSLProtocol +TLSv1.2 # for Cipher-String 'A+', 'A'<br>
| |
− | <nowiki>#</nowiki>SSLProtocol +TLSv1.2 +TLSv1.1 +TLSv1 # for Cipher-String 'B', 'C', 'C-'<br>
| |
− | SSLCompression off <br>
| |
− | SSLHonorCipherOrder on <br>
| |
− | SSLCipherSuite 'DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256'<br>
| |
− | <nowiki>#</nowiki>add optionally ':!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:!ADH:!IDEA:!3DES'
| |
− | {{Top_10_2010:ExampleEndTemplate}}
| |
− | <b>Remarks:</b><br>- The cipher string is compiled as a whitelist of individual ciphers to get a better compatibility even with old versions of OpenSSL.<br/>- Monitor the performance of your server, e.g. the TLS handshake with DHE hinders the CPU abt 2.4 times more than ECDHE, cf. [http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html#some-benchmarks Vincent Bernat, 2011], [http://nmav.gnutls.org/2011/12/price-to-pay-for-perfect-forward.html nmav's Blog, 2011].
| |
− | | |
− | * Verify your cipher string using your crypto library, e.g. openssl using cipher string 'A':
| |
− | {{Top_10_2010:ExampleBeginTemplate|year=2013}}
| |
− | openssl ciphers -V "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256"<br>
| |
− | <nowiki>#</nowiki>add optionally ':!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:!ADH:!IDEA' to protect older Versions of OpenSSL<br>
| |
− | <nowiki>#</nowiki>use openssl ciphers -v "..." for openssl < 1.0.1:
| |
− | <small>
| |
− | 0x00,0x9F - DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD
| |
− | 0x00,0x9E - DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD
| |
− | 0xC0,0x30 - ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
| |
− | 0xC0,0x2F - ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD
| |
− | 0x00,0x6B - DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256
| |
− | 0x00,0x67 - DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256
| |
− | 0xC0,0x28 - ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384
| |
− | 0xC0,0x27 - ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256
| |
− | </small>
| |
− | {{Top_10_2010:ExampleEndTemplate}}
| |
− | <b>CAUTION</b>: You need a newer version of OpenSSL to use this cipher string!<br/>
| |
− | | |
− | <br/><br/>
| |
− | | |
− | =Related Articles=
| |
− | | |
− | * [[Transport Layer Protection Cheat Sheet|OWASP: Transport Layer Protection Cheat Sheet]]
| |
− | | |
− | <br/><br/>
| |
− | | |
− | = Authors and Primary Editors =
| |
− | {{Template:Contact | name = Torsten Gigler | email [email protected] | username = T.Gigler}}<br/> | |
− | {{Template:Contact | name = Achim Hoffmann | email [email protected] | username = Achim}}<br/> | |
− | | |
− | <br/>
| |
− | == Other Cheatsheets ==
| |
− | | |
− | {{Cheatsheet_Navigation_Body}}
| |
− | | |
− | <!-----[[Category:Cheatsheets]]
| |
− | [[Category:OWASP Best Practices]] ----->
| |