[guardian-dev] Improving enabled TLS Cipher Suites

coderman coderman at gmail.com
Wed Sep 11 18:13:09 EDT 2013


of all the suites, these look good (assuming 2k RSA keys)

TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

all the rest do not provide forward secrecy, or use ECC with suspect
constants, or use weak ciphers.

i'm open to hearing arguments otherwise.

> ...
> TLS_RSA_WITH_AES_256_CBC_SHA256
> TLS_RSA_WITH_AES_128_CBC_SHA256
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
> TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
> TLS_DH_anon_WITH_AES_128_CBC_SHA256
> TLS_DH_anon_WITH_AES_256_CBC_SHA256
> TLS_DH_anon_WITH_AES_128_CBC_SHA
> TLS_DH_anon_WITH_AES_256_CBC_SHA
> TLS_ECDH_anon_WITH_AES_128_CBC_SHA
> TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
> TLS_ECDHE_ECDSA_WITH_NULL_SHA
> TLS_ECDHE_RSA_WITH_NULL_SHA
> TLS_RSA_WITH_NULL_MD5
> SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA
> TLS_RSA_WITH_NULL_SHA256
> TLS_RSA_WITH_NULL_SHA
> SSL_RSA_WITH_NULL_MD5
>> ...
>>     "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
>>     "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
>>     "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
>>
>>     "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
>>     "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
>>     "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
>>
>>     "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
>>     "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
>>     "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
>>
>>     "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
>>     "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
>>     "TLS_ECDH_RSA_WITH_RC4_128_SHA",
>>
>>     "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
>>     "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
>>
>>     "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
>>     "TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
>>
>>     "TLS_RSA_WITH_AES_256_CBC_SHA",
>>     "TLS_RSA_WITH_AES_128_CBC_SHA"
>> ...


More information about the Guardian-dev mailing list