Theodore Baschak

BOFH. Open Source Guru. Founder/Operator of Hextet Systems, AS395089 and Network Architect for Daemon Defense Systems, AS55101.

SSL Ciphers

Sun, 12 Jan 2014 23:44:23 -0600 » SSL, Networking, System Administration

This page is outdated. Please use the Mozilla SSL Configuration Generator to generate a secure configuration.

The SSL/TLS Protocol versions, and Ciphers have never really been an item which people configured very tightly. Lately though, there are very valid reasons to ensure that SSL, where applied, has the best methods available to protect confidentiality/integrity. Sites such as ssllabs.com can help test your web servers configurations. Weak ciphers give a false sense of security. There are attacks against SSL/TLS.

The following is the set I use for this site (at the time of publishing):

ssl_protocols  SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers    ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;

This is also useful (different config value names) in things like dovecot.conf and also apache’s SSL vhost configs.

© Theodore Baschak - https://github.com/tbaschak - Powered by Jekyll.
Powered by Les.net.
CiscoDude.net is a personal website. Opinions expressed are not necessarily those of his employer.