This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "TLS Cipher String Cheat Sheet"
m (editorial cahange: table of the ciphers (and their priority from high (1) to low (e.g. 19)) |
m (redactional change: typos; added HSTS) |
||
Line 38: | Line 38: | ||
:* Protocol: TLSv1.0 (and above) | :* Protocol: TLSv1.0 (and above) | ||
* <b>OWASP Cipher String 'C-'</b> (Legacy, widest compatibility to real old browsers and legacy libraries and other application protocols like SMTP) | * <b>OWASP Cipher String 'C-'</b> (Legacy, widest compatibility to real old browsers and legacy libraries and other application protocols like SMTP) | ||
− | :* Take care, use this cipher string only if you are forced to support | + | :* Take care, use this cipher string only if you are forced to support 3DES(=TLS_RSA_WITH_3DES_EDE_CBC_SHA, =DES-CBC3-SHA) for real old clients with very old libraries or old libraries for other protocols besides https |
:* Be aware of the existing risks (e.g. ciphers without PFS or with 3DES) and of new vulnerabilities that may appear the most likely | :* Be aware of the existing risks (e.g. ciphers without PFS or with 3DES) and of new vulnerabilities that may appear the most likely | ||
:* PFS ciphers are preferred, except DHE with SHA-1 (to prevent possible incompatibility issues) | :* PFS ciphers are preferred, except DHE with SHA-1 (to prevent possible incompatibility issues) | ||
Line 114: | Line 114: | ||
= At a glance: Hardening of other parts of the configuration of TLS/SSL for web servers = | = At a glance: Hardening of other parts of the configuration of TLS/SSL for web servers = | ||
* Use solely secure and server initiated renegotiation | * Use solely secure and server initiated renegotiation | ||
− | * Disable | + | * Disable compression |
− | * Check the configuration for all virtual | + | * Check the configuration for all virtual hosts |
− | * If you use Server Name Indication (SNI), verify which virtual server is your default server. Ancient browsers, OSs or runtime environments without SNI support can only reach this server | + | * If you use 'Server Name Indication' (SNI), verify which virtual server is your default server. Ancient browsers, OSs or runtime environments without SNI support can only reach this server |
− | * Use only the TLS/SSL extensions that you really need, e.g. deactivate | + | * Use only the TLS/SSL extensions that you really need, e.g. deactivate heart beat (see [http://heartbleed.com Heartbleed]), do not activate insecure or untested drafts for extensions e.g. additional random, opaque PRF input (see. [http://dualec.org/DualECTLS.pdf DualECTLS]) |
− | * Set reasonable HTML | + | * Set reasonable HTML Headers, e.g. [[HTTP Strict Transport Security|HTTP Strict Transport Security (HSTS)]] |
+ | <!----------------- TBD TBD ----------------> | ||
=Example configs= | =Example configs= |
Revision as of 13:17, 25 September 2017
Last revision (mm/dd/yy): 09/25/2017
Comment: This page is going to be a new Cheet Sheet, soon.
Introduction
This article is focused on providing clear and simple examples for the cipher string. They are based on different scenarios where you use the Transport Layer Security (TLS) protocol.
Recommendations for a cipher string
Secenarios
The cipher strings are based on the recommendation to setup your policy to get a whitelist for yours ciphers as described in the Transport Layer Protection Cheat Sheet (Rule - Only Support Strong Cryptographic Ciphers). The recommened cipher strings are based on the different scenarios:
- OWASP Cipher String 'A+' (Advanced+, limited compatibility, e.g. to more recent browser versions)
- Recommended if you control the server and the clients (e.g. by approvement) and if you check the compatibility before using it
- Includes solely the strongest perfect forward secrecy (PFS) ciphers
- Protocol: TLSv1.2 (and above)
- OWASP Cipher String 'A' (Advanced, wider compatibility, e.g. to most newer browser versions)
- Recommended if you control the server and the clients (e.g. by approvement) if the 'A+' string does not work, make sure to check the compatibility before using it
- includes solely the stronger PFS ciphers
- Protocol: TLSv1.2 (and above)
- OWASP Cipher String 'B' (Broad compatibility to browsers, check the compatibility to other protocols before using it, e.g. IMAPS)
- Recommended if you solely control the server and the clients use their browsers and if you check the compatibility before using it for other protocols than https
- Includes solely PFS ciphers
- Be aware of additional risks and of new vulnerabilities that may appear are more likely than above
- Plan to phase out SHA-1 and TLSv1/TLSv1.1 for https in middle-term
- Protocol: TLSv1.0/better TLSv1.1 (and above)
- OWASP Cipher String 'C' (Widest Compatibility, compatibility to most legacy browsers, legacy libraries (still patched) and other application protocols besides https, e.g. IMAPS)
- You may use this if you solely control the server and your clients use elder browsers and other elder libraries or if you use other protocols than https
- Be aware of the existing risks and of new vulnerabilities that may appear more likely
- PFS ciphers are preferred, except DHE with SHA-1 (to prevent possible incompatibility issues)
- Plan to move to 'A' for https or at least 'B' otherwise in middle-term
- Protocol: TLSv1.0 (and above)
- OWASP Cipher String 'C-' (Legacy, widest compatibility to real old browsers and legacy libraries and other application protocols like SMTP)
- Take care, use this cipher string only if you are forced to support 3DES(=TLS_RSA_WITH_3DES_EDE_CBC_SHA, =DES-CBC3-SHA) for real old clients with very old libraries or old libraries for other protocols besides https
- Be aware of the existing risks (e.g. ciphers without PFS or with 3DES) and of new vulnerabilities that may appear the most likely
- PFS ciphers are preferred, except DHE with SHA-1 (to prevent possible incompatibility issues)
- Plan to move at least to 'C' in a short-term
- Protocol: TLSv1.0 (and above)
Table of the ciphers (and their priority from high (1) to low (e.g. 19))
Cipher-Name: IANA, [openssl] |
Cipher-Hex-Wert | Advanced+ (A+) | Advanced (A) | Broad Compatibility (B) |
Widest Compatibility (C) |
Legacy (C-) |
---|---|---|---|---|---|---|
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, [DHE-RSA-AES256-GCM-SHA384] |
0x009f | 1 | 1 | 1 | 1 | 1 |
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, [DHE-RSA-AES128-GCM-SHA256] |
0x009e | 2 | 2 | 2 | 2 | 2 |
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, [ECDHE-RSA-AES256-GCM-SHA384] |
0xc030 | 3 | 3 | 3 | 3 | 3 |
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, [ECDHE-RSA-AES128-GCM-SHA256] |
0xc02f | 4 | 4 | 4 | 4 | 4 |
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, [DHE-RSA-AES256-SHA256] |
0x006b | 5 | 5 | 5 | 5 | |
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, [DHE-RSA-AES128-SHA256] |
0x0067 | 6 | 6 | 6 | 6 | |
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, [ECDHE-RSA-AES256-SHA384] |
0xc028 | 7 | 7 | 7 | 7 | |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, [ECDHE-RSA-AES128-SHA256] |
0xc027 | 8 | 8 | 8 | 8 | |
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, [ECDHE-RSA-AES256-SHA] |
0xc014 | 9 | 9 | 9 | ||
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, [ECDHE-RSA-AES128-SHA] |
0xc013 | 10 | 10 | 10 | ||
TLS_RSA_WITH_AES_256_GCM_SHA384, [AES256-GCM-SHA384] |
0x009d | 11 | 11 | |||
TLS_RSA_WITH_AES_128_GCM_SHA256, [AES128-GCM-SHA256] |
0x009c | 12 | 12 | |||
TLS_RSA_WITH_AES_256_CBC_SHA256, [AES256-SHA256] |
0x003d | 13 | 13 | |||
TLS_RSA_WITH_AES_128_CBC_SHA256, [AES128-SHA256] |
0x003c | 14 | 14 | |||
TLS_RSA_WITH_AES_256_CBC_SHA, [AES256-SHA] |
0x0035 | 15 | 15 | |||
TLS_RSA_WITH_AES_128_CBC_SHA, [AES128-SHA] |
0x002f | 16 | 16 | |||
TLS_RSA_WITH_3DES_EDE_CBC_SHA, [DES-CBC3-SHA] |
0x000a | 17 | ||||
TLS_DHE_RSA_WITH_AES_256_CBC_SHA, [DHE-RSA-AES256-SHA] |
0x0039 | 11 | 17 | 18 | ||
TLS_DHE_RSA_WITH_AES_128_CBC_SHA, [DHE-RSA-AES128-SHA] |
0x0033 | 12 | 18 | 19 |
Remarks:
- Elder versions of Internet-Explorer- and Java do not support Diffie-Hellman parameters >1024 bit. So the ciphers 'TLS_DHE_RSA_WITH_AES_256_CBC_SHA' and 'TLS_DHE_RSA_WITH_AES_128_CBC_SHA' were moved to the end to prevent possible incompatibility issues. Other Option: Do not offer these Ciphers at all.
Examples for cipher strings
- OpenSSL
Cipher-String OpennSSL-Syntax Advanced+ (A+) DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256 Advanced (A) DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256 Broad Compatibility (B) DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA Widest Compatibility (C) DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA Legacy (C-) DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA
At a glance: Hardening of other parts of the configuration of TLS/SSL for web servers
- Use solely secure and server initiated renegotiation
- Disable compression
- Check the configuration for all virtual hosts
- If you use 'Server Name Indication' (SNI), verify which virtual server is your default server. Ancient browsers, OSs or runtime environments without SNI support can only reach this server
- Use only the TLS/SSL extensions that you really need, e.g. deactivate heart beat (see Heartbleed), do not activate insecure or untested drafts for extensions e.g. additional random, opaque PRF input (see. DualECTLS)
- Set reasonable HTML Headers, e.g. HTTP Strict Transport Security (HSTS)
Example configs
Apache
- Cipher String 'A':
SSLProtocol +TLSv1.2 # for Cipher-String 'A+', 'A'
#SSLProtocol +TLSv1.2 +TLSv1.1 +TLSv1 # for Cipher-String 'B', 'C', 'C-'
SSLCompression off
SSLHonorCipherOrder on
SSLCipherSuite 'DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256'
#add optionally ':!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:!ADH:!IDEA:!3DES'
Remarks:
- The cipher string is compiled as a whitelist of individual ciphers to get a better compatibility even with old versions of OpenSSL.
- Monitor the performance of your server, e.g. the TLS handshake with DHE hinders the CPU abt 2.4 times more than ECDHE, cf. Vincent Bernat, 2011, nmav's Blog, 2011.
- Verify your cipher string using your crypto library, e.g. openssl using cipher string 'A':
openssl ciphers -V "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256"
#add optionally ':!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:!ADH:!IDEA' to protect older Versions of OpenSSL
#use openssl ciphers -v "..." for openssl < 1.0.1:
0x00,0x9F - DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD 0x00,0x9E - DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD 0xC0,0x30 - ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD 0xC0,0x2F - ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD 0x00,0x6B - DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256 0x00,0x67 - DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256 0xC0,0x28 - ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384 0xC0,0x27 - ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256
CAUTION: You need a newer version of OpenSSL to use this cipher string!
Related Articles
Authors and Primary Editors
Torsten Gigler @
Achim Hoffmann @
Other Cheatsheets