[guardian-dev] Improving enabled TLS Cipher Suites
coderman
coderman at gmail.com
Wed Sep 11 18:13:09 EDT 2013
of all the suites, these look good (assuming 2k RSA keys)
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
all the rest do not provide forward secrecy, or use ECC with suspect
constants, or use weak ciphers.
i'm open to hearing arguments otherwise.
> ...
> TLS_RSA_WITH_AES_256_CBC_SHA256
> TLS_RSA_WITH_AES_128_CBC_SHA256
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
> TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
> TLS_DH_anon_WITH_AES_128_CBC_SHA256
> TLS_DH_anon_WITH_AES_256_CBC_SHA256
> TLS_DH_anon_WITH_AES_128_CBC_SHA
> TLS_DH_anon_WITH_AES_256_CBC_SHA
> TLS_ECDH_anon_WITH_AES_128_CBC_SHA
> TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
> TLS_ECDHE_ECDSA_WITH_NULL_SHA
> TLS_ECDHE_RSA_WITH_NULL_SHA
> TLS_RSA_WITH_NULL_MD5
> SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA
> TLS_RSA_WITH_NULL_SHA256
> TLS_RSA_WITH_NULL_SHA
> SSL_RSA_WITH_NULL_MD5
>> ...
>> "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
>> "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
>> "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
>>
>> "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
>> "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
>> "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
>>
>> "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
>> "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
>> "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
>>
>> "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
>> "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
>> "TLS_ECDH_RSA_WITH_RC4_128_SHA",
>>
>> "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
>> "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
>>
>> "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
>> "TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
>>
>> "TLS_RSA_WITH_AES_256_CBC_SHA",
>> "TLS_RSA_WITH_AES_128_CBC_SHA"
>> ...
More information about the Guardian-dev
mailing list