|
|
(8 intermediate revisions by 5 users not shown) |
Line 2: |
Line 2: |
| <div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div> | | <div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div> |
| | | |
− | Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
| + | The Cheat Sheet Series project has been moved to [https://github.com/OWASP/CheatSheetSeries GitHub]! |
| | | |
− | {{taggedSection
| + | Please visit [https://cheatsheetseries.owasp.org/cheatsheets/TLS_Cipher_String_Cheat_Sheet.html TLS Cipher String Cheat Sheet] to see the latest version of the cheat sheet. |
− | | type=tbd
| |
− | | comment=This page is going to be a new Cheet Sheet, soon.
| |
− | }}
| |
− | | |
− | = Introduction =
| |
− | __TOC__{{TOC hidden}}
| |
− | | |
− | This article is focused on providing clear and simple examples for the cipher string. They are based on different scenarios where you use the Transport Layer Security (TLS) protocol.
| |
− | | |
− | =Recommendations for a cipher string=
| |
− | ==Secenarios==
| |
− | The cipher strings are based on the recommendation to setup your policy to get a whitelist for yours ciphers as described in the <u>[[Transport_Layer_Protection_Cheat_Sheet#Rule_-_Only_Support_Strong_Cryptographic_Ciphers|Transport Layer Protection Cheat Sheet (Rule - Only Support Strong Cryptographic Ciphers)]]</u>. The latest and strongest ciphers are solely available with TLSv1.2, older protocols don't support them.<br>We have not included any ChaCha20-Poly1305 ciphers, yet. One reason is that we haven't found various assessments yet, the other is that implementations of new ciphers may be more buggy.
| |
− |
| |
− | The recommened cipher strings are based on the different scenarios:
| |
− | * <b>OWASP Cipher String 'A+'</b> (Advanced+, limited compatibility, e.g. to more recent browser versions)
| |
− | :* Recommended if you control the server and the clients (e.g. by approvement) and if you check the compatibility before using it
| |
− | :* Includes solely the strongest perfect forward secrecy (PFS) ciphers
| |
− | :* Protocols: TLSv1.2 (and newer or better)
| |
− | * <b>OWASP Cipher String 'A'</b> (Advanced, wider compatibility, e.g. to most newer browser versions)
| |
− | :* Recommended if you control the server and the clients (e.g. by approvement) if the 'A+' string does not work, make sure to check the compatibility before using it
| |
− | :* includes solely the strongest and stronger PFS ciphers
| |
− | :* Protocols: TLSv1.2 (and newer or better)
| |
− | * <b>OWASP Cipher String 'B'</b> (Broad compatibility to browsers, check the compatibility to other protocols before using it, e.g. IMAPS)
| |
− | :* Recommended if you solely control the server, the clients use their browsers and if you check the compatibility before using it for other protocols than https
| |
− | :* Includes solely PFS ciphers
| |
− | :* Be aware of additional risks and of new vulnerabilities that may appear are more likely than above | |
− | :* Plan to phase out SHA-1 and TLSv1, TLSv1.1 for https in middle-term
| |
− | :* Protocols: TLSv1.2, TLSv1.1, TLSv1 (and newer or better)
| |
− | * <b>OWASP Cipher String 'C'</b> (Widest Compatibility, compatibility to most legacy browsers, legacy libraries (still patched) and other application protocols besides https, e.g. IMAPS)
| |
− | :* You may use this if you solely control the server, your clients use elder browsers and other elder libraries or if you use other protocols than https
| |
− | :* Be aware of the existing risks and of new vulnerabilities that may appear more likely
| |
− | :* PFS ciphers are preferred, except all DHE ciphers that use SHA-1 (to prevent possible incompatibility issues caused by the length of the DHparameter)
| |
− | :* Plan to move to 'A' for https or at least 'B' otherwise in middle-term
| |
− | :* Protocols: TLSv1.2, TLSv1.1, TLSv1 (and newer or better)
| |
− | * <b>OWASP Cipher String 'C-'</b> (Legacy, widest compatibility to real old browsers and legacy libraries and other application protocols like SMTP)
| |
− | :* Take care, use this cipher string only if you are forced to support 3DES(=TLS_RSA_WITH_3DES_EDE_CBC_SHA, =DES-CBC3-SHA) for real old clients with very old libraries or old libraries for other protocols besides https
| |
− | :* Be aware of the existing risks (e.g. ciphers without PFS, ciphers with 3DES) and of new vulnerabilities that may appear the most likely
| |
− | :* <b>Never use</b> even more INSECURE or elder ciphers based on RC2, RC4, DES, MD4, MD5, EXP, EXP1024, AH, ADH, aNULL, eNULL, SEED nor IDEA
| |
− | :* PFS ciphers are preferred, except all DHE ciphers that use SHA-1 (to prevent possible incompatibility issues caused by the length of the DHparameter)
| |
− | :* Plan to move at least to 'C' in a short-term
| |
− | :* Protocols: TLSv1.2, TLSv1.1, TLSv1 (and newer or better)
| |
− | | |
− | ==Table of the ciphers (and their priority from high (1) to low (e.g. 19))==
| |
− | IANA, OpenSSL and other crypto libraries use slightly different names for the same ciphers. This table lists the names used by IANA and by openssl in brackets []. Additional you can find the unambiguously hex values defined by IANA. Mozilla offers a larger <u>[https://wiki.mozilla.org/Security/Server_Side_TLS#Cipher_names_correspondence_table cipher names correspondence table]</u>.
| |
− | {| border="1" cellspacing="1" cellpadding="1" style="border-collapse:collapse; text-align: center; font-size:84%;"
| |
− | |- style="font-size: 119%; background-color:#DCDCDC;"
| |
− | ! style="text-align:left;" |Cipher name: <br> IANA, [openssl]
| |
− | ! style="width: 8%;" | Cipher hex value
| |
− | ! style="width:11%;" | Advanced+ (A+)
| |
− | ! style="width:11%;" | Advanced (A)
| |
− | ! style="width:11%;" | Broad <br> Compatibility (B)
| |
− | ! style="width:11%;" | Widest <br> Compatibility (C)
| |
− | ! style="width:11%;" | Legacy (C-)
| |
− | |- style="background-color:#B9FFC5;"
| |
− | <!--- | IANA, <br> [openssl] || Hex || A+ || A || B || C || C- ---->
| |
− | | style="text-align:left" | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, <br> [DHE-RSA-AES256-GCM-SHA384] || 0x009f || 1 || 1 || 1 || 1 || 1
| |
− | |- style="background-color:#B9FFC5;"
| |
− | | style="text-align:left" | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, <br> [DHE-RSA-AES128-GCM-SHA256] || 0x009e || 2 || 2 || 2 || 2 || 2
| |
− | |- style="background-color:#B9FFC5;"
| |
− | | style="text-align:left" | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, <br> [ECDHE-RSA-AES256-GCM-SHA384] || 0xc030 || 3 || 3 || 3 || 3 || 3
| |
− | |- style="background-color:#B9FFC5;"
| |
− | | style="text-align:left" | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, <br> [ECDHE-RSA-AES128-GCM-SHA256] || 0xc02f || 4 || 4 || 4 || 4 || 4
| |
− | |- style="background-color:#E3FFE3;"
| |
− | | style="text-align:left" | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, <br> [DHE-RSA-AES256-SHA256] || 0x006b || || 5 || 5 || 5 || 5
| |
− | |- style="background-color:#E3FFE3;"
| |
− | | style="text-align:left" | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, <br> [DHE-RSA-AES128-SHA256] || 0x0067 || || 6 || 6 || 6 || 6
| |
− | |- style="background-color:#E3FFE3;"
| |
− | | style="text-align:left" | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, <br> [ECDHE-RSA-AES256-SHA384] || 0xc028 || || 7 || 7 || 7 || 7
| |
− | |- style="background-color:#E3FFE3;"
| |
− | | style="text-align:left" | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, <br> [ECDHE-RSA-AES128-SHA256] || 0xc027 || || 8 || 8 || 8 || 8
| |
− | |-
| |
− | | style="text-align:left" | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, <br> [ECDHE-RSA-AES256-SHA] || 0xc014 || || || 9 || 9 || 9
| |
− | |-
| |
− | | style="text-align:left" | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, <br> [ECDHE-RSA-AES128-SHA] || 0xc013 || || || 10 || 10 || 10
| |
− | |- style="background-color:#F4F6F8;"
| |
− | | style="text-align:left" | TLS_RSA_WITH_AES_256_GCM_SHA384, <br> [AES256-GCM-SHA384] || 0x009d || || || || 11 || 11
| |
− | |- style="background-color:#F4F6F8;"
| |
− | | style="text-align:left" | TLS_RSA_WITH_AES_128_GCM_SHA256, <br> [AES128-GCM-SHA256] || 0x009c || || || || 12 || 12
| |
− | |- style="background-color:#F4F6F8;"
| |
− | | style="text-align:left" | TLS_RSA_WITH_AES_256_CBC_SHA256, <br> [AES256-SHA256] || 0x003d || || || || 13 || 13
| |
− | |- style="background-color:#F4F6F8;"
| |
− | | style="text-align:left" | TLS_RSA_WITH_AES_128_CBC_SHA256, <br> [AES128-SHA256] || 0x003c || || || || 14 || 14
| |
− | |- style="background-color:#F4F6F8;"
| |
− | | style="text-align:left" | TLS_RSA_WITH_AES_256_CBC_SHA, <br> [AES256-SHA] || 0x0035 || || || || 15 || 15
| |
− | |- style="background-color:#F4F6F8;"
| |
− | | style="text-align:left" | TLS_RSA_WITH_AES_128_CBC_SHA, <br> [AES128-SHA] || 0x002f || || || || 16 || 16
| |
− | |- style="background-color:#FFFF88;"
| |
− | | style="text-align:left" | TLS_RSA_WITH_3DES_EDE_CBC_SHA, <br> [DES-CBC3-SHA] || 0x000a || || || || || 17
| |
− | |-
| |
− | | style="text-align:left" | TLS_DHE_RSA_WITH_AES_256_CBC_SHA, <br> [DHE-RSA-AES256-SHA] || 0x0039 || || || 11 || 17 || 18
| |
− | |-
| |
− | | style="text-align:left" | TLS_DHE_RSA_WITH_AES_128_CBC_SHA, <br> [DHE-RSA-AES128-SHA] || 0x0033 || || || 12 || 18 || 19
| |
− | |}
| |
− | <b>Remarks:</b><br>- Elder versions of Internet-Explorer and Java do <b>not</b> support Diffie-Hellman parameters >1024 bit. So the ciphers 'TLS_DHE_RSA_WITH_AES_256_CBC_SHA' and 'TLS_DHE_RSA_WITH_AES_128_CBC_SHA' were moved to the end to prevent possible incompatibility issues. Other option: Delete this two ciphers from your list.<br/>
| |
− | | |
− | ==Examples for cipher strings==
| |
− | * OpenSSL
| |
− | ::{| border="1" cellspacing="1" cellpadding="1" style="border-collapse:collapse; text-align: left; font-size:84%;"
| |
− | |- style="font-size: 119%; background-color:#EAECF0;"
| |
− | !Cipher-String || OpenSSL-Syntax
| |
− | |- style="background-color:#B9FFC5;"
| |
− | | style="font-size: 119%;"| <b>Advanced+ (A+)</b> || DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256
| |
− | |- style="background-color:#E3FFE3;"
| |
− | | style="font-size: 119%;"| <b>Advanced (A)</b> || DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256
| |
− | |-
| |
− | | style="font-size: 119%;"| <b>Broad Compatibility (B)</b> || DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA
| |
− | |- style="background-color:#F4F6F8;"
| |
− | | style="font-size: 119%;"| <b>Widest Compatibility (C)</b> || DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA
| |
− | |- style="background-color:#FFFF88;"
| |
− | | style="font-size: 119%;"| <b>Legacy (C-)</b> || DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA
| |
− | |}
| |
− | = At a glance: Hardening of other parts of the configuration of TLS/SSL for web servers =
| |
− | * Use solely secure and server initiated renegotiation
| |
− | * Disable compression on TLS/SSL level
| |
− | * Check the configuration for all virtual hosts
| |
− | * If you use 'Server Name Indication' (SNI) configure one virtual server as your default server (often this is the first virtual server). Ancient browsers, OSs or runtime environments without SNI support connect solely to this server
| |
− | * Use only the TLS/SSL extensions that you really need, e.g. deactivate heart beat (see <u>[http://heartbleed.com Heartbleed]</u>), do not activate insecure or untested drafts for extensions e.g. additional random, opaque PRF input (see. <u>[http://dualec.org/DualECTLS.pdf DualECTLS]</u>)
| |
− | * Set reasonable HTML headers, e.g. <u>[[HTTP Strict Transport Security|HTTP Strict Transport Security (HSTS)]]</u>
| |
− | * Inform yourself how to securely configure the settings for the services or hardware that you do use, e.g. <u>[https://bettercrypto.org BetterCrypto.org: Applied Crypto Hardening (DRAFT)]</u>, <u>[https://wiki.mozilla.org/Security/Server_Side_TLS Mozilla: Security/Server Side TLS]</u>. We recommend to use one of the cipher strings described above.
| |
− | | |
− | =Example configs=
| |
− | ==Apache==
| |
− | * Cipher String 'A':
| |
− | {{Top_10_2010:ExampleBeginTemplate|year=2013}}
| |
− | SSLProtocol +TLSv1.2 # for Cipher-String 'A+', 'A'<br>
| |
− | <nowiki>#</nowiki>SSLProtocol +TLSv1.2 +TLSv1.1 +TLSv1 # for Cipher-String 'B', 'C', 'C-'<br>
| |
− | SSLCompression off <br>
| |
− | SSLHonorCipherOrder on <br>
| |
− | SSLCipherSuite 'DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256'<br>
| |
− | <nowiki>#</nowiki>add optionally ':!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:!ADH:!IDEA:!3DES'
| |
− | {{Top_10_2010:ExampleEndTemplate}}
| |
− | <b>Remarks:</b><br>- The cipher string is compiled as a whitelist of individual ciphers to get a better compatibility even with old versions of OpenSSL.<br/>- Monitor the performance of your server, e.g. the TLS handshake with DHE hinders the CPU about 2.4 times more than ECDHE, cf. <u>[http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html#some-benchmarks Vincent Bernat, 2011]</u>, <u>[http://nmav.gnutls.org/2011/12/price-to-pay-for-perfect-forward.html nmav's Blog, 2011]</u>.
| |
− | | |
− | * Verify your cipher string using your crypto library, e.g. openssl using cipher string 'A':
| |
− | {{Top_10_2010:ExampleBeginTemplate|year=2013}}
| |
− | openssl ciphers -V "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256"<br>
| |
− | <nowiki>#</nowiki>add optionally ':!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:!ADH:!IDEA' to protect older Versions of OpenSSL<br>
| |
− | <nowiki>#</nowiki>use openssl ciphers -v "..." for openssl < 1.0.1:
| |
− | <small>
| |
− | 0x00,0x9F - DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD
| |
− | 0x00,0x9E - DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD
| |
− | 0xC0,0x30 - ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
| |
− | 0xC0,0x2F - ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD
| |
− | 0x00,0x6B - DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256
| |
− | 0x00,0x67 - DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256
| |
− | 0xC0,0x28 - ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384
| |
− | 0xC0,0x27 - ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256
| |
− | </small>
| |
− | {{Top_10_2010:ExampleEndTemplate}}
| |
− | <b>CAUTION</b>: You need a newer version of OpenSSL to use this cipher string!<br/>
| |
− | | |
− | <br/><br/>
| |
− | | |
− | =Related Articles=
| |
− | | |
− | * <u>[[Transport Layer Protection Cheat Sheet|OWASP: Transport Layer Protection Cheat Sheet]]</u>
| |
− | * <u>[https://bettercrypto.org BetterCrypto.org: Applied Crypto Hardening (DRAFT)]</u>
| |
− | * <u>[https://wiki.mozilla.org/Security/Server_Side_TLS Mozilla: Security/Server Side TLS]</u>
| |
− | | |
− | <br/><br/>
| |
− | | |
− | = Authors and Primary Editors =
| |
− | {{Template:Contact | name = Torsten Gigler | email [email protected] | username = T.Gigler}}<br/> | |
− | {{Template:Contact | name = Achim Hoffmann | email [email protected] | username = Achim}}<br/> | |
− | | |
− | <br/>
| |
− | == Other Cheatsheets ==
| |
− | | |
− | {{Cheatsheet_Navigation_Body}}
| |
− | | |
− | <!-----[[Category:Cheatsheets]]
| |
− | [[Category:OWASP Best Practices]] ----->
| |