BGP.guru

BGP.guru

Nerd blog.

12 Jan 2014

SSL Ciphers

This page is outdated. Please use the Mozilla SSL Configuration Generator to generate a secure configuration.

The SSL/TLS Protocol versions, and Ciphers have never really been an item which people configured very tightly. Lately though, there are very valid reasons to ensure that SSL, where applied, has the best methods available to protect confidentiality/integrity. Sites such as ssllabs.com can help test your web servers configurations. Weak ciphers give a false sense of security. There are attacks against SSL/TLS.

The following is the set I use for this site (at the time of publishing):

ssl_protocols  SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers    ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;

This is also useful (different config value names) in things like dovecot.conf and also apache’s SSL vhost configs.


Theodore Baschak - Theo is a network engineer with experience operating core internet technologies like HTTP, HTTPS and DNS. He has extensive experience running service provider networks with OSPF, MPLS, and BGP.