Selecting A Good TLS Cipher Group

elenasarim · June 7, 2017, 3:41pm

This is general type question. I was wondering if Let’s encrypt uses the latest TLS version (1.2). If yes, is there a way I can choose the protocol version (even SSL 3.0) ? I need to demonstrate the use of older TLS protocol for my website.

Thank you

danb35 · June 7, 2017, 5:28pm

Let’s Encrypt issues a certificate. Whether you use SSL 2.0, TLS 1.2, or anything in between is completely up to you and how you configure your web server.

rg305 · June 8, 2017, 4:37am

The latest version of TLS is actually 1.3; but "yes", LE can provide signing for certs that will work with all versions.
Your server configuration file(s) will determine which protocols and ciphers - you get to choose.
You could use SNI to host multiple sites; each with different protocols/ciphers - all from the same IP.

schoen · June 8, 2017, 8:20pm

That’s a bit of a subtle issue; TLS 1.3 hasn’t yet been finalized or adopted by the IETF. The draft is far enough along that there are working implementations, but it’s also not meant to be used in the wild yet.

elenasarim · June 11, 2017, 10:25pm

Thank you. So, the tls protocol used can only been choosed in the server side. RIght?

rg305 · June 12, 2017, 12:02am

That is correct.
The server decides what it will or won’t do.

ahaw021 · June 12, 2017, 7:32am

hi @elenasarim

SSL Handshake:

This is actually a good question. The first thing to review is the TLS/SSL handshake. F5 does a good job of explaining it:

https://support.f5.com/csp/article/K15292

Essentially there are two key components:

The client sends a list of ciphers it supports
The server chooses the cipher from a list of ciphers that the client supports
If the client does not present a cipher that the server supports the connection is closed

Good TLS Configurations and Testing

To configure good practices TLS with strong cipher suites its useful to use a tool like Mozilla’s TLS Server configurator.

https://wiki.mozilla.org/Security/Server_Side_TLS

It will give you a strong, moderate or backwards compatible configurations

You can test your configuraiton using a tool like SSLLABS

https://www.ssllabs.com/

In terms of what ciphers you should use:

This is not a one size fits all

A) Do you need to comply with standards such as PCI-DSS, HIPPA, NIST, etc (in that case you are not allowed to use certain ciphers)

B) What kind of clients does your web server support. You may find that having the highest level of Cipher Suites means your website becomes unusable to some users.

Hope this helps you a bit but generally using a tool like moziall with Moderate settings is a good balancing point between secure and supporting wide range of clients

Andrei

system · July 12, 2017, 7:32am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.