Secure Cipher-Suites for Qualys SSL Labs server test A/A+ rating

There are many possible ways to configure your server to support only secure cipher-suites and get an A/A+ rating from the SSL Labs SSL Test, some are more restrictive than others, some are more complex than others.

There is no single holy grail, but for openssl-based applications such as Apache, postfix, or nginx, I prefer to go with this to me personally more readable and to me more sensible general notation:
HIGH:!aNULL:!eNULL:!kECDH:!aDH:!RC4:!3DES:!CAMELLIA:!MD5:!PSK:!SRP:!KRB5:@STRENGTH

Checking the openssl documentation, this boils down to the following logic:

  • Only enable strong (High) encryption cipher suites (at least 128 bit length)
  • Exclude cipher-suites without authentication (aNULL) or without encryption (eNULL)
  • Exclude fixed/static ECDHE (kECDH) instead of ephemeral ECDHE keys (no PFS, rarely used)
  • Exclude cipher-suites using DH authentication (aDH), which is rarely used and needs the certificate to have static DH keys
  • Exclude RC4 and 3DES cipher-suites which are known to be weak or outdated
  • Exclude Camellia cipher-suites, which is rarely used/preferred by clients/servers when AES is already supported. AES is the de-facto standard
  • Exclude outdated cipher-suites using weak MD5 HMAC
  • Exclude cipher-suites used extremely rarely or only in very specific applications like Secure Remote Password authentication (SRP), PSK (Pre-Shared Key) and KRB5 (Kerberos5, also supports only old ciphers/HMAC)
  • Sort the cipher list by strength

With at least the recent openssl 1.0.1j version, this will enable a broad range of 30 secure AES-based ciphers suites, including some basic non-PFS AES suites for compatibility reasons (decide for yourself if you’re OK with this). This guarantees an SSL test rating of at least A.
If you really need to support older clients, then you could also consider leaving 3DES enabled.
Note: To get an A+ rating currently your certificate must have a SHA-256 chain and the server also needs to support TLS Fallback SCSV and apparently HTTP Strict Transport Security as well.

To see what effective cipher-suites this syntax will enable with your openssl version, check this:
openssl ciphers -V ‘HIGH:!aNULL:!eNULL:!kECDH:!aDH:!RC4:!3DES:!CAMELLIA:!MD5:!PSK:!SRP:!KRB5:@STRENGTH’

With openssl 1.0.1j+ (or a recent CentOS/RHEL 1.0.1e+ port) you should get the following 30 secure cipher-suites (I’ve formatted the list a bit to make it more readable, the names you see are in the openssl cipher-suite alias column):

Cipher-Suite ID

IANA Cipher-Suite Name

openssl Cipher-Suite Alias

PFS?

Key-Exchange

Authentication

Symmetric

Encryption

HMAC

0xC0,0x30

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

ECDHE-RSA-AES256-GCM-SHA384

yes

ECDH

RSA

AESGCM(256)

AEAD

0xC0,0x2C

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

ECDHE-ECDSA-AES256-GCM-SHA384

yes

ECDH

ECDSA

AESGCM(256)

AEAD

0xC0,0x28

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

ECDHE-RSA-AES256-SHA384

yes

ECDH

RSA

AESCBC(256)

SHA384

0xC0,0x24

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

ECDHE-ECDSA-AES256-SHA384

yes

ECDH

ECDSA

AESCBC(256)

SHA384

0xC0,0x14

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

ECDHE-RSA-AES256-SHA

yes

ECDH

RSA

AESCBC(256)

SHA1

0xC0,0x0A

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

ECDHE-ECDSA-AES256-SHA

yes

ECDH

ECDSA

AESCBC(256)

SHA1

0x00,0xA3

TLS_DHE_DSS_WITH_AES_256_GCM_SHA384

DHE-DSS-AES256-GCM-SHA384

yes

DH

DSS

AESGCM(256)

AEAD

0x00,0x9F

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

DHE-RSA-AES256-GCM-SHA384

yes

DH

RSA

AESGCM(256)

AEAD

0x00,0x6B

TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

DHE-RSA-AES256-SHA256

yes

DH

RSA

AESCBC(256)

SHA256

0x00,0x6A

TLS_DHE_DSS_WITH_AES_256_CBC_SHA256

DHE-DSS-AES256-SHA256

yes

DH

DSS

AESCBC(256)

SHA256

0x00,0x39

TLS_DHE_RSA_WITH_AES_256_CBC_SHA

DHE-RSA-AES256-SHA

yes

DH

RSA

AESCBC(256)

SHA1

0x00,0x38

TLS_DHE_DSS_WITH_AES_256_CBC_SHA

DHE-DSS-AES256-SHA

yes

DH

DSS

AESCBC(256)

SHA1

0x00,0x9D

TLS_RSA_WITH_AES_256_GCM_SHA384

AES256-GCM-SHA384

no

RSA

RSA

AESGCM(256)

AEAD

0x00,0x3D

TLS_RSA_WITH_AES_256_CBC_SHA256

AES256-SHA256

no

RSA

RSA

AESCBC(256)

SHA256

0x00,0x35

TLS_RSA_WITH_AES_256_CBC_SHA

AES256-SHA

no

RSA

RSA

AESCBC(256)

SHA1

0xC0,0x2F

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

ECDHE-RSA-AES128-GCM-SHA256

yes

ECDH

RSA

AESGCM(128)

AEAD

0xC0,0x2B

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

ECDHE-ECDSA-AES128-GCM-SHA256

yes

ECDH

ECDSA

AESGCM(128)

AEAD

0xC0,0x27

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

ECDHE-RSA-AES128-SHA256

yes

ECDH

RSA

AESCBC(128)

SHA256

0xC0,0x23

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

ECDHE-ECDSA-AES128-SHA256

yes

ECDH

ECDSA

AESCBC(128)

SHA256

0xC0,0x13

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

ECDHE-RSA-AES128-SHA

yes

ECDH

RSA

AESCBC(128)

SHA1

0xC0,0x09

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

ECDHE-ECDSA-AES128-SHA

yes

ECDH

ECDSA

AESCBC(128)

SHA1

0x00,0xA2

TLS_DHE_DSS_WITH_AES_128_GCM_SHA256

DHE-DSS-AES128-GCM-SHA256

yes

DH

DSS

AESGCM(128)

AEAD

0x00,0x9E

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

DHE-RSA-AES128-GCM-SHA256

yes

DH

RSA

AESGCM(128)

AEAD

0x00,0x67

TLS_DHE_RSA_WITH_AES_128_CBC_SHA256

DHE-RSA-AES128-SHA256

yes

DH

RSA

AESCBC(128)

SHA256

0x00,0x40

TLS_DHE_DSS_WITH_AES_128_CBC_SHA256

DHE-DSS-AES128-SHA256

yes

DH

DSS

AESCBC(128)

SHA256

0x00,0x33

TLS_DHE_RSA_WITH_AES_128_CBC_SHA

DHE-RSA-AES128-SHA

yes

DH

RSA

AESCBC(128)

SHA1

0x00,0x32

TLS_DHE_DSS_WITH_AES_128_CBC_SHA

DHE-DSS-AES128-SHA

yes

DH

DSS

AESCBC(128)

SHA1

0x00,0x9C

TLS_RSA_WITH_AES_128_GCM_SHA256

AES128-GCM-SHA256

no

RSA

RSA

AESGCM(128)

AEAD

0x00,0x3C

TLS_RSA_WITH_AES_128_CBC_SHA256

AES128-SHA256

no

RSA

RSA

AESCBC(128)

SHA256

0x00,0x2F

TLS_RSA_WITH_AES_128_CBC_SHA

AES128-SHA

no

RSA

RSA

AESCBC(128)

SHA1

Note that the cipher-suites your application actually uses from this pool of 30 suites depends on a number of other factors. For example, the extremely common certificates using RSA keys only apply to cipher-suites using RSA for authentication. Likewise, DSS (DSA) and ECC (ECDSA) certificates will only allow using cipher-suites with DSS or ECDSA authentication respectively. There is no need to exclude one or the other specifically for your certificate because openssl/the application will filter out the unnecessary suites that aren’t compatible with the certificate in the first place.

It’s also recommended that your server chooses the best available secure cipher-suite form the client’s list when negotiating an SSL/TLS connection with a client. Most implementations by default just select the first matching cipher-suite from the list included in the Client Hello message, which could be a weaker cipher-suite providing such as one without PFS.
On Apache you can use the SSLHonorCipherOrder on directive to always use the first (best) cipher-suite from the server’s list.

This Qualys SSL Server Test will then yield results similar to the following: (This was tested with CentOS 6, Apache 2.2.15-39, mod_ssl 2.2.15-39 and openssl 1.0.1e-30 (1.0.1j equivalent)):

Supported Cipher-SuitesHandshake Simulation

A similar list of secure cipher-suites for Windows/IIS webservers can be configured with the IIScrypto tool.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s