This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
TLS Cipher String Cheat Sheet
Last revision (mm/dd/yy): 04/18/2017
Comment: This page is going to be a new Cheet Sheet, soon.
Introduction
This article is focused on providing clear and simple examples for the cipher string. They are based on different scenarios where you use the Transport Layer Security (TLS) protocol.
Recommendations for a cipher string
The cipher strings are based on the recommendation to setup your policy to get a whitelist for yours ciphers as described in the Transport Layer Protection Cheat Sheet (Rule - Only Support Strong Cryptographic Ciphers). The recommened cipher strings are based on the different scenarios:
- OWASP Cipher String 'A+' (Advanced+, limited compatibility, e.g. to more recent browser versions)
- Recommended if you control the server and the clients (e.g. by approvement) and if you check the compatibility before using it
- Includes solely the strongest perfect forward secrecy (PFS) ciphers
- Protocol: TLSv1.2 (and above)
- OWASP Cipher String 'A' (Advanced, wider compatibility, e.g. to most newer browser versions)
- Recommended if you control the server and the clients (e.g. by approvement) if the 'A+' string does not work, make sure to check the compatibility before using it
- includes solely the stronger PFS ciphers
- Protocol: TLSv1.2 (and above)
- OWASP Cipher String 'B' (Broad compatibility)
- Recommended if you solely control the server and the clients use their browsers
- Includes solely PFS ciphers
- Be aware of additional risks and of new vulnerabilities that may appear are more likely than above
- Plan to phase out SHA-1 and TLSv1/TLSv1.1 for https in middle-term
- Protocol: TLSv1.0/better TLSv1.1 (and above)
- OWASP Cipher String 'C' (Widest Compatibility, compatibility to most legacy browsers, legacy libraries (still patched) and other application protocols besides https , e.g. IMAPS)
- You may use this if you solely control the server and your clients use elder browsers and other elder libraries or if you use other protocols than https
- Be aware of the existing risks and of new vulnerabilities that may appear more likely
- PFS ciphers are preferred, except DHE with SHA-1 (to prevent possible incompatibility issues)
- Plan to move to 'A' for https or at least 'B' otherwise in middle-term
- Protocol: TLSv1.0 (and above)
- OWASP Cipher String 'C-' (Legacy, widest compatibility to real old browsers and legacy libraries and other application protocols like SMTP)
- Take care, use this cipher string only if you are forced to support DES (=TLS_RSA_WITH_3DES_EDE_CBC_SHA, =DES-CBC3-SHA) for real old clients with very old libraries or old libraries for other protocols besides https
- Be aware of the existing risks (e.g. ciphers without PFS or with 3DES) and of new vulnerabilities that may appear the most likely
- PFS ciphers are preferred, except DHE with SHA-1 (to prevent possible incompatibility issues)
- plan to move at leastr to 'C' in a short-term
- Protocol: TLSv1.0 (and above)
- Table of the ciphers (and their priority)
Cipher-Name:
IANA, [openssl]Cipher-Hex-Wert Advanced+ (A+) Advanced (A) Broad
Compatibility (B)Widest
Compatibility (C)Legacy (C-) TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
[DHE-RSA-AES256-GCM-SHA384]0x009f 1 1 1 1 1 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
[DHE-RSA-AES128-GCM-SHA256]0x009e 2 2 2 2 2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
[ECDHE-RSA-AES256-GCM-SHA384]0xc030 3 3 3 3 3 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
[ECDHE-RSA-AES128-GCM-SHA256]0xc02f 4 4 4 4 4 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
[DHE-RSA-AES256-SHA256]0x006b 5 5 5 5 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
[DHE-RSA-AES128-SHA256]0x0067 6 6 6 6 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
[ECDHE-RSA-AES256-SHA384]0xc028 7 7 7 7 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
[ECDHE-RSA-AES128-SHA256]0xc027 8 8 8 8 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
[ECDHE-RSA-AES256-SHA]0xc014 9 9 9 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
[ECDHE-RSA-AES128-SHA]0xc013 10 10 10 TLS_RSA_WITH_AES_256_GCM_SHA384,
[AES256-GCM-SHA384]0x009d 11 11 TLS_RSA_WITH_AES_128_GCM_SHA256,
[AES128-GCM-SHA256]0x009c 12 12 TLS_RSA_WITH_AES_256_CBC_SHA256,
[AES256-SHA256]0x003d 13 13 TLS_RSA_WITH_AES_128_CBC_SHA256,
[AES128-SHA256]0x003c 14 14 TLS_RSA_WITH_AES_256_CBC_SHA,
[AES256-SHA]0x0035 15 15 TLS_RSA_WITH_AES_128_CBC_SHA,
[AES128-SHA]0x002f 16 16 TLS_RSA_WITH_3DES_EDE_CBC_SHA,
[DES-CBC3-SHA]0x000a 17 TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
[DHE-RSA-AES256-SHA]0x0039 11 17 18 TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
[DHE-RSA-AES128-SHA]0x0033 12 18 19
- Anmerkungen:
- Die Nummer gibt die Position der jeweiligen Priorisierung an
- Da ältere Internet-Explorer- und Java-Versionen keine Diffie-Hellman-Parameter >1024 bit unterstützen wurden die Verfahren 'TLS_DHE_RSA_WITH_AES_256_CBC_SHA' und 'TLS_DHE_RSA_WITH_AES_128_CBC_SHA' am Ende angeordnet, um Inkompatibilitäten mit Altversionen zu vermeiden; Alternative: Diese Verfahren ganz weglassen.
- Beispiel-Cipher-Strings für OpenSSL:
- Anmerkungen:
Cipher-String OpennSSL-Syntax Advanced+ (A+) DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256 Advanced (A) DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256 Broad Compatibility (B) DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA Widest Compatibility (C) DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA Legacy (C-) DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA
- TLS/SSL-Konfiguration des Webservers härten:
- nur sichere Server-initiierte Renegotiation
- keine Komprimierung
- Einstellungen aller virtuellen Server (virtualHosts) prüfen
- Bei Einsatz von Server Name Indication (SNI), prüfen, welcher Server der Default-Server ist. Alte Browser bzw. Betriebssysteme, ohne SNI-Unterstützung erreichen nur diesen!
- Prüfen der, von der installierten OpenSSL-Version unterstützten Cipher
- Reduktion der SSL-Extensions auf das notwendige Maß, z.B. Deaktivieren von Heart-Beat (vgl Heartbleed), kein Aktivieren von unsicheren Extension-DRAFTS wie z.B. Additional random, Opaque PRF Input (vgl. DualECTLS)
- Konfigurations-Beispiel für Apache inkl. Cipher String 'A':
SSLProtocol +TLSv1.2 # for Cipher-String 'A+', 'A'
#SSLProtocol +TLSv1.2 +TLSv1.1 +TLSv1 # for Cipher-String 'B', 'C', 'C-'
SSLCompression off
SSLHonorCipherOrder on
SSLCipherSuite 'DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256'
#optional kann ':!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:!ADH:!IDEA' ergänzt werden.
Anmerkungen: - Der Cipher-String mit den SSL-Cipher-Suites wurde als Whitelist formuliert, um die serverseitige Kompatibilität mit alten Versionen von OpenSSL zu erhöhen.
- Überwachen Sie die Performance Ihres Servers, der Verbindungsaufbau mit DHE ist ca. 2,4 Mal CPU-intensiver als mit ECDHE (vgl [Vincent Bernat, 2011], [nmav's Blog, 2011])
- Prüfen der Cipher-Einstellungen mittels openssl, z.B. Cipher-String 'A':
openssl ciphers -V "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256"
#add optionally ':!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:!ADH:!IDEA' to protect older Versions of OpenSSL
#use openssl ciphers -v "..." for openssl < 1.0.1:
0x00,0x9F - DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD 0x00,0x9E - DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD 0xC0,0x30 - ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD 0xC0,0x2F - ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD 0x00,0x6B - DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256 0x00,0x67 - DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256 0xC0,0x28 - ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384 0xC0,0x27 - ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256
CAUTION: You need a newer version of OpenSSL to use this cipher string!
Related Articles
- "Transport Layer Protection Cheat Sheet" - Transport Layer Protection Cheat Sheet
Authors and Primary Editors
Torsten Gigler @
Achim Hoffmann @
Other Cheatsheets