Choosing the right set of cipher algorithms for your users
Cipher Suites
Preliminaries
This note describes the cipher algorithms that are available for use with the server, and how to configure custom cipher suites.
This note reflects best practices for 2019.
The server uses Transaction Layer Security (TLS) to encrypt communications to and from the user-agent. TLS is a protocol that uses a variety of algorithms at different stages of its life-cycle.
A cipher suite comprises a set of four algorithms that work together to handle these tasks:
- How secret keys are exchanged between the user-agent and the server;
- How certificates are authenticated;
- Which symmetric encryption algorithm is used and what its secret key length is;
- How the integrity of the encrypted stream is assured.
There are choices to be made regarding each of these algorithms, and the choice isn't entirely up to you: browsers have a say in it. When an older browser requests a resource from the server, it may not know about the strongest, safest, or fastest methods available on the server. Or about your needs for these.
Conversely, the server may have been commissioned a while ago, when today's more advanced ciphers used in newer browsers were not available. The matchup between what the browser can handle and what the server desires to use, is negotiated in the handshake portion of the TLS protocol.
In order to allow browsers and servers to communicate in this fluctuating system, both must employ multiple cipher suites.
Nomenclature
A cipher suite is named using abbreviations for the constituent algorithms it employs. The abbreviations of the currently allowable algorithms (for TLS 1.2) are:
- Key exchange algorithm
ECDHE - Elliptic Curve Diffie-Hellman Ephemeral key exchange
DHE - Diffie-Hellman Ephemeral key exchange
RSA - Rivest–Shamir–Adleman key exchange †
- Certificate authentication algorithm
ECDSA - Elliptic Curve Digital Signature Algorithm
RSA - Rivest–Shamir–Adleman certificate authentication †
- Symmetric encryption algorithm
AES256 - Advanced Encryption Standard with 256-bit keys
AES192 - Advanced Encryption Standard with 192-bit keys
AES128 - Advanced Encryption Standard with 128-bit keys
AES-GCM - AES Galois/Counter Mode
AES-CCM - AES Counter with CBC-MAC
ChaCha20 - a.k.a. Salsa20
- HMAC integrity
SHA384 - Secure Hashing Algorithm with 384-bit hash
SHA256 - Secure Hashing Algorithm with 256-bit hash
SHA - Secure Hashing Algorithm with 160-bit hash
Cipher suites that use the Diffie-Hellman Ephemeral key exchange protocol rely on a set of parameters that you must generate. You can do that using the openssl
utility. For example, to create a 2048-bit parameter file use this command:
openssl dhparam -dsaparam -out /etc/rwserve/tls/diffie-hellman-2048.pem 2048
Certificate Authentication Algorithm
There are two types of certificates that you can use: the older RSA type and the newer ECDSA type. The choice is made when you obtain the cert from the certificate authority.
The cipher suites labeled with ECDHE-ECDSA-
can only be used with the newer type.
Assembling abbreviations into a cipher suite
The abbreviations enumerated above, are the only ones suitable for use over HTTP/2 using TLS version 1.2.
Combining all of the different algorithms into every possible combination yields 108 possible cipher names (3 × 2 × 6 × 3). Fortunately, only some of these combinations make sense. They are:
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-ECDSA-CHACHA20-POLY1305
- ECDHE-ECDSA-AES256-CCM
- ECDHE-ECDSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES128-CCM
- ECDHE-ECDSA-AES128-SHA256
- ECDHE-ECDSA-AES256-SHA †
- ECDHE-ECDSA-AES128-SHA †
- ECDHE-RSA-AES256-GCM-SHA384
- ECDHE-RSA-CHACHA20-POLY1305
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-RSA-AES128-SHA256
- ECDHE-RSA-AES256-SHA †
- ECDHE-RSA-AES128-SHA †
- AES256-GCM-SHA384
- AES256-CCM
- AES128-GCM-SHA256
- AES128-CCM
- AES256-SHA256
- AES128-SHA256
- AES256-SHA †
- AES128-SHA †
- DHE-RSA-AES256-GCM-SHA384
- DHE-RSA-CHACHA20-POLY1305
- DHE-RSA-AES256-CCM
- DHE-RSA-AES128-GCM-SHA256
- DHE-RSA-AES128-CCM
- DHE-RSA-AES256-SHA256
- DHE-RSA-AES128-SHA256
- DHE-RSA-AES256-SHA †
- DHE-RSA-AES128-SHA †
Elliptic Curve DHE using ECDSA
Elliptic Curve DHE using RSA
Advanced Encryption Standard
Diffie-Hellman Ephemeral
Configuration
The server can support many different ciphers, allowing it to be deployed in permissive and stringent security contexts. Configuring the server to use a custom set of cipher suites is optional.
The ciphers
section is used to configure the server. It comprises a list of openssl cipher suite names, with one name per line, in top-to-bottom order of the server's preference. (Note that the browser has it's own order of preference which may override this.)
This section must be placed in the server
section, not a host
section.
If any of the cipher suites use the Diffie Hellman Ephemeral key exchange algorithm (the cipher suites beginning with DHE-RSA-
), you must also specify the location of a self-generated parameter file using a diffie-hellman
entry. Be sure to surround the parameter file name with GRAVE-ACCENTS.
EBNF
SP | ::= | U+20 |
CR | ::= | U+0D |
SOLIDUS | ::= | U+2F |
ASTERISK | ::= | U+2A |
FULL-STOP | ::= | U+2E |
GRAVE-ACCENT | ::= | U+60 |
LEFT-CURLY-BRACKET | ::= | U+7B |
RIGHT-CURLY-BRACKET | ::= | U+7D |
absolute-path | ::= | GRAVE-ACCENT file-system-chars* GRAVE-ACCENT |
diffie-hellman | ::= | 'diffie-hellman' SP absolute-path CR |
ciphers-section | ::= | 'ciphers' SP LEFT-CURLY-BRACKET CR (openssl-cipher-name CR)* RIGHT-CURLY-BRACKET CR |
server-section | ::= | 'server' SP LEFT-CURLY-BRACKET CR diffie-hellman ciphers-section RIGHT-CURLY-BRACKET CR |
† Legal file system characters vary by platform
Cookbook
Example 1: Elliptic Curve DHE using ECDSA
server {
ip-address 8.16.32.64
port 443
cluster-size 2
ciphers {
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-ECDSA-CHACHA20-POLY1305
ECDHE-ECDSA-AES256-CCM
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-CCM
ECDHE-ECDSA-AES128-SHA256
ECDHE-ECDSA-AES256-SHA
ECDHE-ECDSA-AES128-SHA
}
}
Example 2: Elliptic Curve DHE using RSA
server {
ip-address 8.16.32.64
port 443
cluster-size 2
ciphers {
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-CHACHA20-POLY1305
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA
ECDHE-RSA-AES128-SHA
}
}
Example 3: Advanced Encryption Standard
server {
ip-address 8.16.32.64
port 443
cluster-size 2
ciphers {
AES256-GCM-SHA384
AES256-CCM
AES128-GCM-SHA256
AES128-CCM
AES256-SHA256
AES128-SHA256
AES256-SHA
AES128-SHA
}
}
Example 4: Diffie-Hellman Ephemeral
server {
ip-address 8.16.32.64
port 443
cluster-size 2
diffie-hellman `/etc/rwserve/tls/diffie-hellman-2048.pem`
ciphers {
DHE-RSA-AES256-GCM-SHA384
DHE-RSA-CHACHA20-POLY1305
DHE-RSA-AES256-CCM
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES128-CCM
DHE-RSA-AES256-SHA256
DHE-RSA-AES128-SHA256
DHE-RSA-AES256-SHA †
DHE-RSA-AES128-SHA †
}
}
Review
Key points to remember:
- Cipher suites have different strengths, speed and safety.
- The server's default set of cipher suites can be overridden in the configuration file.
- Use this feature when today's "best" ciphers suites are discovered to have vulnerabilities.