TLS SSL protocols and cipher suites
Few things to note about Protocols:
- There are 5 common protocols: SSLv2, SSLv3, TLSv1.0, TLSv1.1 and TLSv1.2
- SSLv2, SSLv3, and TLSv1.0 have known security issues. In fact, SSLv2 and v3 should not be used anymore.
- The lesser protocols you enable, the lesser devices could connect. You need to find a balance between them. TLSv1.0 support could be dropped if you are only providing services to modern devices/browsers.
- Mozilla SSL Configurator has some suggestion on which protocols and cipher suites to be enabled.
Few things to note about Cipher Suites:
- Each protocol has a range of supported cipher suites on their own. The exception is TLSv1.1 does not have specific cipher suites and could use all those supported by TLSv1.0.
- The client and server need to support a common cipher suite in order to successfully establish the connection. Note that server could suggest a list of common cipher suites but it is usually the client that decides which one is used.
- If you enable a certain protocol but didn't support any supported cipher suites, no client could connect to your server using that protocol.
- A list of supported cipher suites for each protocol can be found on the OpenSSL website.
Other related topics on TLS SSL:
- https://calvin.my/posts/using-custom-dh-param-in-nginx
- https://calvin.my/posts/enabling-hsts-in-nginx
- For testing your configuration and check the list of clients supported, please use the SSL Lab Test tool.
AI Summary
Chrome On-device AI
2024-09-19 18:21:14
Share Article