Secure Cipher to use in SSL profiles

From Tech-Wiki
Revision as of 15:00, 21 February 2019 by Fabricio.Lima (Talk | contribs)

Jump to: navigation, search

Back to Misc

To list ciphers use the following command

# tmm --clientciphers DEFAULT:\!SSLv3

A good cipher removing SSLv3 and weak protocols is:

DEFAULT:!TLSv1_1:!TLSv1:!DTLSv1:!SHA

Another strict/stronger option can be the one below:

ECDHE_ECDSA:ECDHE:!TLSv1_1:!TLSv1:!SHA

then only the ones below are allowed:

      ID  SUITE                            BITS PROT    METHOD  CIPHER  MAC     KEYX
0: 49196  ECDHE-ECDSA-AES256-GCM-SHA384    256  TLS1.2  Native  AES-GCM  SHA384  ECDHE_ECDSA
1: 49188  ECDHE-ECDSA-AES256-SHA384        256  TLS1.2  Native  AES      SHA384  ECDHE_ECDSA
2: 49195  ECDHE-ECDSA-AES128-GCM-SHA256    128  TLS1.2  Native  AES-GCM  SHA256  ECDHE_ECDSA
3: 49187  ECDHE-ECDSA-AES128-SHA256        128  TLS1.2  Native  AES      SHA256  ECDHE_ECDSA
4: 49200  ECDHE-RSA-AES256-GCM-SHA384      256  TLS1.2  Native  AES-GCM  SHA384  ECDHE_RSA
5: 49192  ECDHE-RSA-AES256-SHA384          256  TLS1.2  Native  AES      SHA384  ECDHE_RSA
6: 49199  ECDHE-RSA-AES128-GCM-SHA256      128  TLS1.2  Native  AES-GCM  SHA256  ECDHE_RSA
7: 49191  ECDHE-RSA-AES128-SHA256          128  TLS1.2  Native  AES      SHA256  ECDHE_RSA