35
votes
How to disable CBC-mode ciphers
You can use !SHA1:!SHA256:!SHA384 to disable all CBC mode ciphers. There are some non-CBC false positives that will also be disabled (RC4, NULL), but you probably also want to disable them anyway.
...
- 1,390
19
votes
Accepted
How do I know which cipher suites can be disabled?
The required cipher suites depends entirely on the clients that are expected to use the service. As SSL Server Test from Qualys SSL Labs is designed for testing publicly accessible web servers, we can ...
- 19.7k
18
votes
Accepted
Why are CHACHA20 TLS ciphers not compliant with the NIST guidelines and FIPS/HIPAA standards?
The Reddit thread that you link to seems to answer the question: there is a specific list of cryptographic algorithms that have been validated and approved by NIST, and ChaCha20 is not on that list.
...
- 18.8k
16
votes
How to disable CBC-mode ciphers
I've spent a fair amount of time over the last couple of days trying to get a perfect list for ssllabs. Thanks in part to this, here's what works:
SSLCipherSuite ALL:!RSA:!CAMELLIA:!aNULL:!eNULL:!...
- 261
15
votes
Accepted
SSH Server Configuration Best Practices?
The defaults for a recent version of openssh are good.
The server's asymmetric key type and client's asymmetric key type are specified in
HostKeyAlgorithms and PubkeyAcceptedAlgorithms respectively.
...
- 8,794
13
votes
Accepted
What are the 'P' values in some cipher string?
P521 is an elliptic curve
“P521” is a dead giveaway for an elliptic curve which SECG and TLS formally call secp521r1 and which NIST FIPS 186-4 calls P-521. An elliptic curve is a mathematical domain ...
11
votes
Why are CHACHA20 TLS ciphers not compliant with the NIST guidelines and FIPS/HIPAA standards?
ChaCha20 is a stream cipher, and there currently isn't any NIST-approved stream cipher at all. The only option is the block cipher AES (Triple DES and Skipjack are only approved for legacy decryption)....
- 38.2k
8
votes
What are the 'P' values in some cipher string?
I would suggest that these mean the curve used within the ECDHE key exchange, i.e. NIST P-256, NIST P-384 and NIST P-521. These are not actually part of the cipher itself (i.e. the 16-bit cipher id ...
- 213k
8
votes
Accepted
OpenSSH: Meaning of cipher with email address @openssh.com
Those are algorithms defined by vendors like openssh, not defined by the SSH standard (IETF RFCs). They are extensions to the protocol. Of course, you are not guaranteed that software other than ...
- 8,794
7
votes
Accepted
How are key exchange and signature algorithms negotiated in TLS 1.3
Summary
Key Exchange Method (eg. DHE, PSK or DHE+PSK), negotiated using the pre_shared_key and psk_key_exchange_modes extensions.
Diffie-Hellman group used for the DHE (eg. ffdhe8192, secp256r1, etc.),...
- 2,615
7
votes
Which cipher is more secure TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA or TLS_RSA_WITH_AES_256_GCM_SHA384?
Neither cipher suite is good. Which one is the least bad depends on your threat model.
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA has two problems:
It uses SHA-1 to authenticate the server's signature. SHA-1 ...
5
votes
What are the 'P' values in some cipher string?
They are the naming for NIST ECC Curves. Also see at NIST.FIPS.186-4
NIST RFC 4492
P-256 secp256r1
P-384 secp384r1
P-521 secp521r1
- 5,599
5
votes
OpenSSH default/preferred ciphers, hash, etc for SSH2
Answer valid in 2023:
By default, OpenSSH uses the [email protected] cipher. Although, between machines with AES-NI support, you might want to force e.g. [email protected].
$ man ...
- 599
5
votes
How does a client (like SSLLabs) know all the cipher suites a server supports if the server doesn’t send its list of supported cipher suites?
In TLS the client announces what kind of ciphers it supports inside the ClientHello and the server picks a cipher from these which is supported on the server too. While one cannot query the server ...
- 213k
5
votes
Clarifications regarding ciphers and Nmap scan
You are asking multiple unrelated questions which is not the recommended way to ask and chances are that the question might be closed as too broad or as duplicate since some part was already answered ...
- 213k
5
votes
How do I verify the supported ciphersuites of a TLS server that only accepts POST requests?
It is totally irrelevant if GET or POST is used. The TLS handshake is done before any HTTP request is even send. So if the handshake fails it means that neither GET nor POST is possible. If the ...
- 213k
5
votes
If I control both sides of a connection, is there any reason to support alternate cipher suites?
If you control both ends of the tunnel, and there are no issues with intermediary server support, then it definitely makes sense to limit the ciphers. Additional ciphers just increases the attack ...
- 638
4
votes
What makes an SSL session pick one cipher over another?
In the first step the server aligns the ciphers offered by the client with the ciphers configured for the cipher to get a set of common ciphers. From this set the server then selects a single cipher. ...
- 213k
4
votes
Why does tls_version "TLS 1.2" from howsmyssl rate "Probably Okay" in Chrome on Windows 10 but "Bad" in IE11 on Windows 7?
Well, from the error message you posted, your IE11 is willing to use some really out of date and broken crypto, but the Chrome does not. That tool even gives you a helpful description of why each one ...
- 59.6k
4
votes
Accepted
Understanding SSL Cipher suite in Apache
Yes, the order of Apache's SSLCipherSuite indicates the preferred order. To quote the link you've provided (emphasis mine),
Now where this becomes interesting is that these can be put together
...
- 73.7k
4
votes
When connecting via SSH, does the Diffie-Hellman key exchange take place over an unencrypted TCP session or does encryption occur before the exchange?
See RFC 5656, section 4, which describes the protocol for Diffie Hellman key exchange for SSH. I've coped the diagram from this section below:
Client ...
- 25k
4
votes
OpenSSH: Meaning of cipher with email address @openssh.com
By the way, that's a domain name, not an email address. As explicitly pointed out in RFC4251 section 6:
There are two formats for algorithm and method names:
o Names that do not contain an at-...
- 11.4k
4
votes
Accepted
How does TLS use hashing from the negotiated cipher suite
There are a couple places we use a hash in TLS. The first is as part of the signature. This is decided by means outside the cipher suite (usually the negotiation of the curve we're using for ECDSA) ...
- 9,837
4
votes
Java support for TLS_DHE_RSA_WITH_AES_128_CCM
This is very dependent on the version on the JRE that you are using, and thus on the version of JSSE it ships. It also depends on your local configuration, notably the jdk.tls.client.cipherSuites and ...
- 5,552
4
votes
server negotiating TLS1.3 but sent TLS1.2 ciphersuite
You basically describe a behavior where the server violates the standard, i.e. using a TLS 1.2 cipher with TLS 1.3. Common reaction to non-standard behavior of the server is to simply close the ...
- 213k
3
votes
Accepted
How to filter ciphers based on ssl certificate?
Signature Algorithm: ecdsa-with-SHA256
This is irrelevant for the choice of cipher.
Public Key Algorithm: id-ecPublicKey
Since this is an ECC key you can use all ciphers which use ECDSA for ...
- 213k
3
votes
Accepted
Question on DH key exchange
Is the client's private key is not required?
The TLS key exchange has nothing to do with authentication using client certificates, i.e. it is fully independent from it. This means both RSA key ...
- 213k
3
votes
How to disable CBC-mode ciphers
The best SSL Ciphers and Protocols settings I found at https://cipherli.st/
With this you will get a Qualys A+ rating:
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM
# Requires Apache 2.4.36 & OpenSSL 1....
- 31
3
votes
Why does tls_version "TLS 1.2" from howsmyssl rate "Probably Okay" in Chrome on Windows 10 but "Bad" in IE11 on Windows 7?
Is it just the fact that IE11 supports "insecure_cipher_suites"?
To cite from the sites documentation:
Insecure Cipher Suites
...
Any client supporting an insecure cipher suite will be marked ...
- 213k
3
votes
Accepted
Ensuring all network services on a device use strong TLS cipher suites
What options do I have for preventing network services from allowing weak TLS ciphers?
Changing the application or the applications configuration is one option, provided that the version of OpenSSL on ...
- 213k
Only top scored, non community-wiki answers of a minimum length are eligible