[Ach] [ssllabs-discuss] Minimal recommended cipher suite list, pref. as an interactive SSL Labs page

[Aaron Zauner]

Hi Hubert,

Hubert Kario wrote:
> 
> This puts DHE before ECDHE, and most problematically, DHE-RSA-AES256-SHA256
> before ECDHE-RSA-AES128-GCM-SHA256.
> 
> Older versions of httpd will use 1024 bit DH parameters. Those provide
> about 80 bit level of security (comparable to 1024 bit RSA and SHA-1).
> While with ECDH you will get the 256 bit curve which gives you 128 bit
> level of security (comparable to 3072 bit RSA and SHA256). Thankfully
> the newest releases of httpd select DH parameters based on RSA key size,
> so the DH params are not the weakest link any more.
> 
> Also using 256bit ciphers without at least disabling TLS session tickets,
> disabling SSL3, TLS1.0 and TLS1.1, *and* using very large RSA or ECDSA
> keys signed with SHA512 is just wasting cycles. If you're
> using AES or CAMELLIA (any key size), the cipher suite is not the weakest
> link in the security of connection.

I completely agree, I've tried to discuss this for a couple of times now
(for BetterCrypto). And we're so far as to drop 256bit symmetric ciphers
and align ciphers with signature and key exchange algorithm security,
but no body seems to be particularly interested in committing to
anything. Which might just be the lack of new input on the mailing list.

As for Mozillas recommendations: They still have DSS, RC4 and a couple
of other things in there which we explicitly exclude in our
recommendations - which I still think is a good idea. Another issue is
that these cipherstrings work differently on OpenSSL =< 0.9.8 and
OpenSSL >= 1.0.0 - all do not include GnuTLS (we do not either). As well
as other TLS libraries.


Aaron

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20140612/f5dbec1d/attachment.sig>