TLS Cipher String Cheat Sheet



Last revision (mm/dd/yy): //

= Introduction =

This article is focused on providing clear and simple examples for the cipher string. They are based on different scenarios where you use the Transport Layer Security (TLS) protocol.

=Recommendations for a cipher string=

Secenarios
The cipher strings are based on the recommendation to setup your policy to get a whitelist for yours ciphers as described in the Transport Layer Protection Cheat Sheet (Rule - Only Support Strong Cryptographic Ciphers). The recommened cipher strings are based on the different scenarios:
 * OWASP Cipher String 'A+' (Advanced+, limited compatibility, e.g. to more recent browser versions)
 * Recommended if you control the server and the clients (e.g. by approvement) and if you check the compatibility before using it
 * Includes solely the strongest perfect forward secrecy (PFS) ciphers
 * Protocol: TLSv1.2 (and above)


 * OWASP Cipher String 'A' (Advanced, wider compatibility, e.g. to most newer browser versions)
 * Recommended if you control the server and the clients (e.g. by approvement) if the 'A+' string does not work, make sure to check the compatibility before using it
 * includes solely the stronger PFS ciphers
 * Protocol: TLSv1.2 (and above)


 * OWASP Cipher String 'B' (Broad compatibility to browsers, check the compatibility to other protocols before using it, e.g. IMAPS)
 * Recommended if you solely control the server and the clients use their browsers and if you check the compatibility before using it for other protocols than https
 * Includes solely PFS ciphers
 * Be aware of additional risks and of new vulnerabilities that may appear are more likely than above
 * Plan to phase out SHA-1 and TLSv1/TLSv1.1 for https in middle-term
 * Protocol: TLSv1.0/better TLSv1.1 (and above)


 * OWASP Cipher String 'C' (Widest Compatibility, compatibility to most legacy browsers, legacy libraries (still patched) and other application protocols besides https, e.g. IMAPS)
 * You may use this if you solely control the server and your clients use elder browsers and other elder libraries or if you use other protocols than https
 * Be aware of the existing risks and of new vulnerabilities that may appear more likely
 * PFS ciphers are preferred, except DHE with SHA-1 (to prevent possible incompatibility issues)
 * Plan to move to 'A' for https or at least 'B' otherwise in middle-term
 * Protocol: TLSv1.0 (and above)


 * OWASP Cipher String 'C-' (Legacy, widest compatibility to real old browsers and legacy libraries and other application protocols like SMTP)
 * Take care, use this cipher string only if you are forced to support DES (=TLS_RSA_WITH_3DES_EDE_CBC_SHA, =DES-CBC3-SHA) for real old clients with very old libraries or old libraries for other protocols besides https
 * Be aware of the existing risks (e.g. ciphers without PFS or with 3DES) and of new vulnerabilities that may appear the most likely
 * PFS ciphers are preferred, except DHE with SHA-1 (to prevent possible incompatibility issues)
 * Plan to move at least to 'C' in a short-term
 * Protocol: TLSv1.0 (and above)

Table of the ciphers (and their priority high: 1.. up to 19 (low))
Remarks: - Elder versions of Internet-Explorer- and Java do not support Diffie-Hellman parameters >1024 bit. So the ciphers 'TLS_DHE_RSA_WITH_AES_256_CBC_SHA' and 'TLS_DHE_RSA_WITH_AES_128_CBC_SHA' were moved to the end to prevent possible incompatibility issues. Other Option: Do not offer these Ciphers at all.

Examples for cipher strings

 * OpenSSL
 * {| border="1" cellspacing="1" cellpadding="1" style="border-collapse:collapse; text-align: left; font-size:84%;"

!Cipher-String            || OpennSSL-Syntax = At a glance: Hardening of other parts of the configuration of TLS/SSL for web servers =
 * - style="font-size: 119%; background-color:#EAECF0;"
 * - style="background-color:#B9FFC5;"
 * style="font-size: 119%;"| Advanced+ (A+)          || DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256
 * - style="background-color:#E3FFE3;"
 * style="font-size: 119%;"| Advanced (A)            || DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256
 * style="font-size: 119%;"| Broad Compatibility (B) || DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA
 * - style="background-color:#F4F6F8;"
 * style="font-size: 119%;"| Widest Compatibility (C) || DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA
 * - style="background-color:#FFFF88;"
 * style="font-size: 119%;"| Legacy (C-)             || DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA
 * }
 * }
 * Use solely secure and server initiated renegotiation
 * Disable Compression
 * Check the configuration for all virtual Hosts
 * If you use Server Name Indication (SNI), verify which virtual server is your default server. Ancient browsers, OSs or runtime environments without SNI support can only reach this server
 * Use only the TLS/SSL extensions that you really need, e.g. deactivate haert beat (see Heartbleed), do not activate insecure or untested drafts for extensions e.g. additional random, opaque PRF input (see. DualECTLS)
 * Set reasonable HTML Tags

=Example configs=

Apache

 * Cipher String 'A':

SSLProtocol +TLSv1.2                 # for Cipher-String 'A+', 'A' SSLCompression off SSLHonorCipherOrder on SSLCipherSuite 'DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256'
 * 1) SSLProtocol +TLSv1.2 +TLSv1.1 +TLSv1 # for Cipher-String 'B', 'C', 'C-'
 * 1) add optionally ':!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:!ADH:!IDEA:!3DES'

Remarks: - The cipher string is compiled as a whitelist of individual ciphers to get a better compatibility even with old versions of OpenSSL. - Monitor the performance of your server, e.g. the TLS handshake with DHE hinders the CPU abt 2.4 times more than ECDHE, cf. Vincent Bernat, 2011, nmav's Blog, 2011.


 * Verify your cipher string using your crypto library, e.g. openssl using cipher string 'A':

openssl ciphers -V "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256" 0x00,0x9F - DHE-RSA-AES256-GCM-SHA384  TLSv1.2 Kx=DH     Au=RSA  Enc=AESGCM(256) Mac=AEAD 0x00,0x9E - DHE-RSA-AES128-GCM-SHA256  TLSv1.2 Kx=DH     Au=RSA  Enc=AESGCM(128) Mac=AEAD 0xC0,0x30 - ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH  Au=RSA  Enc=AESGCM(256) Mac=AEAD 0xC0,0x2F - ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH  Au=RSA  Enc=AESGCM(128) Mac=AEAD 0x00,0x6B - DHE-RSA-AES256-SHA256      TLSv1.2 Kx=DH     Au=RSA  Enc=AES(256)    Mac=SHA256 0x00,0x67 - DHE-RSA-AES128-SHA256      TLSv1.2 Kx=DH     Au=RSA  Enc=AES(128)    Mac=SHA256 0xC0,0x28 - ECDHE-RSA-AES256-SHA384    TLSv1.2 Kx=ECDH   Au=RSA  Enc=AES(256)    Mac=SHA384 0xC0,0x27 - ECDHE-RSA-AES128-SHA256    TLSv1.2 Kx=ECDH   Au=RSA  Enc=AES(128)    Mac=SHA256
 * 1) add optionally ':!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:!ADH:!IDEA' to protect older Versions of OpenSSL
 * 2) use openssl ciphers -v "..." for openssl < 1.0.1:

CAUTION: You need a newer version of OpenSSL to use this cipher string!

=Related Articles=


 * OWASP: Transport Layer Protection Cheat Sheet

= Authors and Primary Editors =