[Ach] Cipher List Notes

Alice Wonder alice at librelamp.com
Sat Nov 12 03:32:03 CET 2016

Hello List,

Really enjoyed reading the "Applied Crypto Hardening" guide.

The only major difference between my practices and that guide are with 
Section 3.2.3 with "Recommended Cipher Suites"

Like your guide, I too have a "Strong, fewer clients" configuration and 
a "Weaker but better compatibility" configuration. I'm sure I am not the 
only one with a point of view on this.

I would like to share what I do and the real world results, and get 

For my SSLCipherSuite it should be noted that I am using LibreSSL so 
excluding SSLv2 and SSLv3 are not necessary.

The only cipher suites I bother with are chacha20 and AES families. 
ChaCha20 is kinder to Android users and AES has hardware acceleration on 
many platforms. I found I do not need any others.

-=- Strong, fewer clients

In your Configuration A you limit it to AES256, I do not know your 
rationale for excluding AES128 from the Configuration A list but if I 
can only jump 10 feet, a 50 foot moat is just as effective as a 100 foot 
moat. For me to cross the moat requires a different approach than jumping.

For my equivalent of your Configuration A list, on servers where 
sensitive information is transferred to and from the server, I do limit 
it to TLS 1.2 and I also only use ECDSA certificates, I haven't yet come 
across a user with a client that can do TLS 1.2 that doesn't handle 
ECDSA. With a ECDSA certificate I use the following:


That provides the following ciphers with LibreSSL 2.4.4:

TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9)     FS 256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)           FS 256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)           FS 128
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)           FS 256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)           FS 128

With SSL Labs, only the following browsers are reported as not working:

Android < 4.4.2
Baidu Jan 2015
XP Browsers
IE < 11
Java < 8u31
OpenSSL 0.9.8y
Safari < 7

Many of those are deprecated by the vendor and all of them (except maybe 
Baidu) have newer versions that do work. Outdated browsers are not 
secure enough for sensitive data anyway, so for sensitive data servers, 
I don't have to support them.

-=- Weaker but better compatibility

Your Configuration B list does allow AES128 but also allows the Camellia 
ciphers. I do not allow the Camellia ciphers because honestly I do not 
see the benefit, offering them just ads another attack surface if there 
is a zero day found in that family, it seems equivalent to AES to me but 
AES has the advantage of AES-NI support in a lot of hardware. And 
allegedly Camellia has some patent issues.

With my equivalent of your Configuration B I use RSA 2048 and just add a 
couple AES options so it will work with more clients:


That provides the following ciphers with LibreSSL 2.4.4:

TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)       FS 256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)             FS 256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)             FS 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)             FS 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)             FS 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)                FS 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)                FS 128
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)                 FS 256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b)                 FS 256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)                    FS 256

With that configuration, TLS 1.0 support is added and the only ssllabs 
listed excluded clients are:

Android 2.3.7
Java 6u45

None of those clients should be used, and they do not work with SNI 
anyway which is required for many of my sites (I tend to configure an 
empty virtual host as first virtual host)


Thoughts / Comments ??

More information about the Ach mailing list