Recommendations for TLS/SSL Cipher Hardening

Transport Layer Security (TLS) and its predecessor, Secure Socket Layer (SSL), are widely used protocols. They were designed to secure the transfer of data between the client and the server through authentication, encryption, and integrity protection.

Note: At the time of writing of this article, TLS 1.3 was not yet available. It is available now, and it is recommended for use instead of TLS 1.2. TLS 1.3 does not require you to manually specify cipher suites in configuration.

TLS/SSL technology is commonly used in websites and web applications together with the HTTP protocol. It is also used by several other services and protocols, for example, email (SMTP, POP, and IMAP protocols), FTP, chat (XMPP protocol), virtual private networks (TLS/SSL VPNs), and network appliances.

To secure the transfer of data, TLS/SSL uses one or more cipher suites. A cipher suite is a combination of authentication, encryption, and message authentication code (MAC) algorithms. They are used during the negotiation of security settings for a TLS/SSL connection as well as for the transfer of data.

The following are examples of what algorithms a cipher suite may use.

FunctionAlgorithm
Key ExchangeRSA, Diffie-Hellman, ECDH, SRP, PSK
AuthenticationRSA, DSA, ECDSA
Bulk CiphersRC4, 3DES, AES
Message AuthenticationHMAC-SHA256, HMAC-SHA1, HMAC-MD5

TLS is now a requirement in several regulatory standards. Major browsers mark sites as not secure in absence of TLS. It may therefore also be considered a requirement for serving websites and web applications. However, getting a correct TLS implementation may be difficult. Bad TLS configurations may provide a false sense of security and make websites and web applications vulnerable to attacks.

Many common TLS misconfigurations are caused by choosing the wrong cipher suites. Old or outdated cipher suites are often vulnerable to attacks. If you use them, the attacker may intercept or modify data in transit. Below is a list of recommendations for a secure SSL/TLS implementation.

Disabling SSL 2.0 and SSL 3.0

SSL 2.0 was the first public version of SSL. It was released in 1995. This version of SSL contained several security issues. In 1996, the protocol was completely redesigned and SSL 3.0 was released.

Because of the security issues, the SSL 2.0 protocol is unsafe and you should completely disable it. Due to the POODLE (Padding Oracle On Downgraded Legacy Encryption) vulnerability, SSL 3.0 is also unsafe and you should also disable it. If it is enabled, an attacker may retrieve plain text content of secure connections. Furthermore, you cannot use elliptic-curve cryptography (see below) with SSL 3.0.

Internet Explorer 6 is the only browser that still uses SSL 3.0. Therefore, unless you still need to support the legacy Internet Explorer 6 browser, you should disable SSL 3.0 as outlined below.

Disabling TLS 1.0 and 1.1

Unless you need to support legacy browsers, you should also disable TLS 1.0 and TLS 1.1. The PCI DSS (Payment Card Industry Data Security Standard) specifies that TLS 1.0 may no longer be used as of June 30, 2018. It also strongly suggests that you disable TLS 1.1. These protocols may be affected by vulnerabilities such as FREAK, POODLE, BEAST, and CRIME. If you must still support TLS 1.0, disable TLS 1.0 compression to avoid CRIME attacks.

You should also disable weak ciphers such as DES and RC4. DES can be broken in a few hours and RC4 has been found to be weaker than previously thought. In the past, RC4 was advised as a way to mitigate BEAST attacks. However, due to the latest attacks on RC4, Microsoft has issued an advisory against it. The PCI DSS also prohibits the use of the RC4 bulk cipher.

If you disable TLS 1.0 and TLS 1.1, the following user agents and their older versions will likely be affected (specific user agent versions on different operating systems may vary).

  • Android 4.3
  • Chrome 29
  • Firefox 26
  • Internet Explorer 10
  • Java 6u45, 7u25
  • OpenSSL 0.9.8y
  • Safari 6.0

How to Configure TLS

Depending on your business use case (e.g. the need to support legacy browsers and regulatory requirements) you may need to use slightly different cipher suite configurations. You may use the Mozilla SSL Configuration Generator to obtain an optimal TLS configuration using different browser profiles (modern, intermediate, or old).

The following is a breakdown of the modern profile (oldest compatible clients: Firefox 27, Chrome 30, Internet Explorer 11 on Windows 7, Edge, Opera 17, Safari 9, Android 5.0, and Java 8). The syntax for enabling/disabling TLS protocols and cipher suites will vary slightly depending on the web server.

Nginx

# Enable TLSv1.2, disable SSLv3.0, TLSv1.0 and TLSv1.1
ssl_protocols TLSv1.2;
# Enable modern TLS cipher suites
ssl_ciphers 
'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
# The order of cipher suites matters
ssl_prefer_server_ciphers on;

Apache HTTP Server

# Enable TLSv1.2, disable SSLv3.0, TLSv1.0 and TLSv1.1
SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
# Enable modern TLS cipher suites
SSLCipherSuite          
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
# The order of cipher suites matters
SSLHonorCipherOrder     on
# Disable TLS compression
SSLCompression          off
# Necessary for Perfect Forward Secrecy (PFS)
SSLSessionTickets       off

Preferred Cipher Suite Order

The table below breaks down the cipher suite string above into what is preferred in order (best key exchange algorithm/strongest encryption first).

Note  – More Information on ciphers supported by OpenSSL is available here.

OrderKey Exchange AlgorithmAuthentication AlgorithmBulk Encryption AlgorithmMac Algorithm
#1Elliptic Curve Diffie–Hellman (ECDH)Elliptic Curve Digital Signature Algorithm (ECDSA)AES 256 in Galois Counter Mode (AES256-GCM)SHA384
#2Elliptic Curve Diffie–Hellman (ECDH)RSAAES 256 in Galois Counter Mode (AES256-GCM)SHA384
#3Elliptic curve Diffie–Hellman (ECDH)Elliptic Curve Digital Signature Algorithm (ECDSA)ChaCha20 (CHACHA20)POLY1305
#4Elliptic curve Diffie–Hellman (ECDH)RSAChaCha20 (CHACHA20)POLY1305
#5Elliptic Curve Diffie–Hellman (ECDH)Elliptic Curve Digital Signature Algorithm (ECDSA)AES 128 in Galois Counter Mode (AES128-GCM)SHA256
#6Elliptic curve Diffie–Hellman (ECDH)RSAAES 128 in Galois Counter Mode (AES128-GCM)SHA256

This string provides the strongest encryption in modern browsers and TLS/SSL clients (AES in Galois/Counter Mode is only supported in TLS 1.2). Furthermore, this string also provides perfect forward secrecy (PFS) if both the server and the TLS/SSL client support it (on Apache HTTP Server you must set SSLSessionTickets to off).


Lawton Information Services, LLC, Tim A Lawton 4 April, 2023
Share this post
Archive
What is Rate Limiting?