Last revision (mm/dd/yy): 04/18/2017

This section is under construction. Please help OWASP to add missing content!
Comment: This page is going to be a new Cheet Sheet, soon.

Introduction

1 Introduction
2 Recommendations for a cipher string
3 Related Articles
4 Authors and Primary Editors
- 4.1 Other Cheatsheets

This article is focused on providing clear and simple examples for the cipher string. They are based on different scenarios where you use the Transport Layer Security (TLS) protocol.

Recommendations for a cipher string

The cipher strings are based on the recommendation to setup your policy to get a whitelist for yours ciphers as described in the Transport Layer Protection Cheat Sheet (Rule - Only Support Strong Cryptographic Ciphers). The recommened cipher strings are based on the different scenarios:

OWASP Cipher String 'A+' (Advanced+, limited compatibility, e.g. to more recent browser versions)

Recommended if you control the server and the clients (e.g. by approvement) and if you check the compatibility before using it
Includes solely the strongest perfect forward secrecy (PFS) ciphers
Protocol: TLSv1.2 (and above)

OWASP Cipher String 'A' (Advanced, wider compatibility, e.g. to most newer browser versions)

Recommended if you control the server and the clients (e.g. by approvement) if the 'A+' string does not work, make sure to check the compatibility before using it
includes solely the stronger PFS ciphers
Protocol: TLSv1.2 (and above)

OWASP Cipher String 'B' (Broad compatibility)

Recommended if you solely control the server and the clients use their browsers
Includes solely PFS ciphers
Be aware of additional risks and of new vulnerabilities that may appear are more likely than above
Plan to phase out SHA-1 and TLSv1/TLSv1.1 for https in middle-term
Protocol: TLSv1.0/better TLSv1.1 (and above)

OWASP Cipher String 'C' (Widest Compatibility, compatibility to most legacy browsers, legacy libraries (still patched) and other application protocols besides https , e.g. IMAPS)

You may use this if you solely control the server and your clients use elder browsers and other elder libraries or if you use other protocols than https
Be aware of the existing risks and of new vulnerabilities that may appear more likely
PFS ciphers are preferred, except DHE with SHA-1 (to prevent possible incompatibility issues)
Plan to move to 'A' for https or at least 'B' otherwise in middle-term
Protocol: TLSv1.0 (and above)

OWASP Cipher String 'C-' (Legacy, widest compatibility to real old browsers and legacy libraries and other application protocols like SMTP)

Take care, use this cipher string only if you are forced to support DES (=TLS_RSA_WITH_3DES_EDE_CBC_SHA, =DES-CBC3-SHA) for real old clients with very old libraries or old libraries for other protocols besides https
Be aware of the existing risks (e.g. ciphers without PFS or with 3DES) and of new vulnerabilities that may appear the most likely
PFS ciphers are preferred, except DHE with SHA-1 (to prevent possible incompatibility issues)
plan to move at leastr to 'C' in a short-term
Protocol: TLSv1.0 (and above)

Table of the ciphers (and their priority)

Cipher-Name: IANA, [openssl]	Cipher-Hex-Wert	Advanced+ (A+)	Advanced (A)	Broad Compatibility (B)	Widest Compatibility (C)	Legacy (C-)
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, [DHE-RSA-AES256-GCM-SHA384]	0x009f	1	1	1	1	1
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, [DHE-RSA-AES128-GCM-SHA256]	0x009e	2	2	2	2	2
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, [ECDHE-RSA-AES256-GCM-SHA384]	0xc030	3	3	3	3	3
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, [ECDHE-RSA-AES128-GCM-SHA256]	0xc02f	4	4	4	4	4
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, [DHE-RSA-AES256-SHA256]	0x006b		5	5	5	5
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, [DHE-RSA-AES128-SHA256]	0x0067		6	6	6	6
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, [ECDHE-RSA-AES256-SHA384]	0xc028		7	7	7	7
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, [ECDHE-RSA-AES128-SHA256]	0xc027		8	8	8	8
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, [ECDHE-RSA-AES256-SHA]	0xc014			9	9	9
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, [ECDHE-RSA-AES128-SHA]	0xc013			10	10	10
TLS_RSA_WITH_AES_256_GCM_SHA384, [AES256-GCM-SHA384]	0x009d				11	11
TLS_RSA_WITH_AES_128_GCM_SHA256, [AES128-GCM-SHA256]	0x009c				12	12
TLS_RSA_WITH_AES_256_CBC_SHA256, [AES256-SHA256]	0x003d				13	13
TLS_RSA_WITH_AES_128_CBC_SHA256, [AES128-SHA256]	0x003c				14	14
TLS_RSA_WITH_AES_256_CBC_SHA, [AES256-SHA]	0x0035				15	15
TLS_RSA_WITH_AES_128_CBC_SHA, [AES128-SHA]	0x002f				16	16
TLS_RSA_WITH_3DES_EDE_CBC_SHA, [DES-CBC3-SHA]	0x000a					17
TLS_DHE_RSA_WITH_AES_256_CBC_SHA, [DHE-RSA-AES256-SHA]	0x0039			11	17	18
TLS_DHE_RSA_WITH_AES_128_CBC_SHA, [DHE-RSA-AES128-SHA]	0x0033			12	18	19

Anmerkungen:
- Die Nummer gibt die Position der jeweiligen Priorisierung an
- Da ältere Internet-Explorer- und Java-Versionen keine Diffie-Hellman-Parameter >1024 bit unterstützen wurden die Verfahren 'TLS_DHE_RSA_WITH_AES_256_CBC_SHA' und 'TLS_DHE_RSA_WITH_AES_128_CBC_SHA' am Ende angeordnet, um Inkompatibilitäten mit Altversionen zu vermeiden; Alternative: Diese Verfahren ganz weglassen.

Beispiel-Cipher-Strings für OpenSSL:

Cipher-String	OpennSSL-Syntax
Advanced+ (A+)	DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256
Advanced (A)	DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256
Broad Compatibility (B)	DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA
Widest Compatibility (C)	DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA
Legacy (C-)	DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA

TLS/SSL-Konfiguration des Webservers härten:

nur sichere Server-initiierte Renegotiation
keine Komprimierung
Einstellungen aller virtuellen Server (virtualHosts) prüfen
Bei Einsatz von Server Name Indication (SNI), prüfen, welcher Server der Default-Server ist. Alte Browser bzw. Betriebssysteme, ohne SNI-Unterstützung erreichen nur diesen!
Prüfen der, von der installierten OpenSSL-Version unterstützten Cipher
Reduktion der SSL-Extensions auf das notwendige Maß, z.B. Deaktivieren von Heart-Beat (vgl Heartbleed), kein Aktivieren von unsicheren Extension-DRAFTS wie z.B. Additional random, Opaque PRF Input (vgl. DualECTLS)

Konfigurations-Beispiel für Apache inkl. Cipher String 'A':

SSLProtocol +TLSv1.2                  # for Cipher-String 'A+', 'A'

#SSLProtocol +TLSv1.2 +TLSv1.1 +TLSv1 # for Cipher-String 'B', 'C', 'C-'

SSLCompression off 

SSLHonorCipherOrder on 

SSLCipherSuite 'DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256'
 
#optional kann ':!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:!ADH:!IDEA' ergänzt werden.

Anmerkungen: - Der Cipher-String mit den SSL-Cipher-Suites wurde als Whitelist formuliert, um die serverseitige Kompatibilität mit alten Versionen von OpenSSL zu erhöhen.
- Überwachen Sie die Performance Ihres Servers, der Verbindungsaufbau mit DHE ist ca. 2,4 Mal CPU-intensiver als mit ECDHE (vgl [Vincent Bernat, 2011], [nmav's Blog, 2011])

Prüfen der Cipher-Einstellungen mittels openssl, z.B. Cipher-String 'A':

openssl ciphers -V "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256"

#add optionally ':!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:!ADH:!IDEA' to protect older Versions of OpenSSL

#use openssl ciphers -v "..." for openssl < 1.0.1:


0x00,0x9F - DHE-RSA-AES256-GCM-SHA384   TLSv1.2 Kx=DH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
0x00,0x9E - DHE-RSA-AES128-GCM-SHA256   TLSv1.2 Kx=DH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
0xC0,0x30 - ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH   Au=RSA  Enc=AESGCM(256) Mac=AEAD
0xC0,0x2F - ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH   Au=RSA  Enc=AESGCM(128) Mac=AEAD
0x00,0x6B - DHE-RSA-AES256-SHA256       TLSv1.2 Kx=DH     Au=RSA  Enc=AES(256)    Mac=SHA256
0x00,0x67 - DHE-RSA-AES128-SHA256       TLSv1.2 Kx=DH     Au=RSA  Enc=AES(128)    Mac=SHA256
0xC0,0x28 - ECDHE-RSA-AES256-SHA384     TLSv1.2 Kx=ECDH   Au=RSA  Enc=AES(256)    Mac=SHA384
0xC0,0x27 - ECDHE-RSA-AES128-SHA256     TLSv1.2 Kx=ECDH   Au=RSA  Enc=AES(128)    Mac=SHA256

CAUTION: You need a newer version of OpenSSL to use this cipher string!

Authors and Primary Editors

Torsten Gigler @
Achim Hoffmann @

Other Cheatsheets

V - T - E Cheat Sheets
Developer / Builder	3rd Party Javascript Management Access Control AJAX Security Cheat Sheet Authentication (ES) Bean Validation Cheat Sheet Choosing and Using Security Questions Clickjacking Defense Credential Stuffing Prevention Cheat Sheet Cross-Site Request Forgery (CSRF) Prevention Cryptographic Storage C-Based Toolchain Hardening CSS Security Deserialization DOM based XSS Prevention Forgot Password HTML5 Security HTTP Strict Transport Security Injection Prevention Cheat Sheet Injection Prevention Cheat Sheet in Java JSON Web Token (JWT) Cheat Sheet for Java Input Validation Insecure Direct Object Reference Prevention JAAS Key Management LDAP Injection Prevention Logging Mass Assignment Cheat Sheet .NET Security OS Command Injection Defense Cheat Sheet OWASP Top Ten Password Storage Pinning Query Parameterization REST Security Ruby on Rails Session Management SAML Security SQL Injection Prevention Transaction Authorization Transport Layer Protection TLS Cipher String Configuration Unvalidated Redirects and Forwards User Privacy Protection Web Service Security XSS (Cross Site Scripting) Prevention XML External Entity (XXE) Prevention Cheat Sheet
Assessment / Breaker	Attack Surface Analysis REST Assessment Web Application Security Testing XML Security Cheat Sheet XSS Filter Evasion
Mobile	Android Testing IOS Developer Mobile Jailbreaking
OpSec / Defender	Virtual Patching Vulnerability Disclosure
Draft and Beta	Application Security Architecture Business Logic Security Content Security Policy Denial of Service Cheat Sheet Grails Secure Code Review IOS Application Security Testing PHP Security Regular Expression Security Cheatsheet Secure Coding Secure SDLC Threat Modeling
All Pages In This Category

TLS Cipher String Cheat Sheet

Introduction

Recommendations for a cipher string

Related Articles

Authors and Primary Editors

Other Cheatsheets

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Reference

Tools