Tuning your ciphers

Assuming OpenSSL 1.1.1

It’s now time to tune your ciphers isn’t it?

/usr/local/bin/openssl version
/usr/local/bin/openssl ciphers -V TLSv1.2 > ciphers.tls12

What’s not weak for an RSA key as of Nov 2019 @ssllabs

cat > ciphers.notweak <<-EOF
0xc02f
0xc060
0xc030
0xc061
0xcca8
EOF

Concat with what’s not weak for a prime256v1 curve (another cert based on ECC)

cat >> ciphers.notweak <<-EOF
0xc02b
0xc05c
0xc0ac
0xc0ae
0xc02c
0xc05d
0xc0ad
0xc0af
0xcca9
EOF

Check that you’ve got one match for every one of those

for hex in `cat ciphers.notweak`; do
    fix=`echo $hex | sed -r 's/0x(..)(..)/0x\1,0x\2/'`
    echo -n $hex --\>
    grep -i $fix ciphers.tls12
done; unset cipher

And prepare the string for e.g. Stunnel

for hex in `cat ciphers.notweak`; do
    fix=`echo $hex | sed -r 's/0x(..)(..)/0x\1,0x\2/'`
    echo -n `grep -i $fix ciphers.tls12 | awk '{print $3}'`:
done; unset cipher; echo ''

Alternative Methods

Selecting ciphers by mode of operation (avoiding NULL & CBC)

openssl ciphers -v TLSv1.2 | grep -v TLSv1.3 | egrep 'POLY|GCM|CCM'
openssl ciphers -v TLSv1.2 | grep -v TLSv1.3 | egrep 'POLY|GCM|CCM' | awk '{print $1}' > stunnel.conf.ciphers
for cipher in `cat stunnel.conf.ciphers`; do echo -n $cipher:; done; unset cipher; echo ''

Mapping Cipher Names (OpenSSL vs IANA)

Pasting cipher names from IANA

cat > ciphers.iana <<EOF
...
EOF

Curves

See Let’s get a curve!

Resources

openssl-ciphers, ciphers - SSL cipher display and cipher list tool https://www.openssl.org/docs/man1.1.1/man1/ciphers.html

Cipher suite https://en.wikipedia.org/wiki/Cipher_suite

SSL and TLS Deployment Best Practices https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices#23-use-secure-cipher-suites

Transport Layer Security (TLS) Parameters https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4

TLS Cipher String ยท OWASP Cheat Sheet Series https://cheatsheetseries.owasp.org/cheatsheets/TLS_Cipher_String_Cheat_Sheet.html

Mapping OpenSSL Cipher Suite Names to Official Names and RFCs https://www.woolie.co.uk/article/mapping-openssl-ciphers-to-iana-cipher-suite-registy/

A list of recommended cipher suites for TLS 1.2 https://www.peerlyst.com/posts/a-list-of-recommended-cipher-suites-for-tls-1-2-guurhart

hardening

SSL Labs Grading Update: Forward Secrecy, Authenticated Encryption and ROBOT https://blog.qualys.com/ssllabs/2018/02/02/forward-secrecy-authenticated-encryption-and-robot-grading-update

14.4. stunnel https://bettercrypto.org/#_stunnel

Cipherli.st Strong Ciphers for Apache, nginx and Lighttpd https://cipherli.st/

[stunnel-users] STUNNEL — How to chose the AES cipher with TLS v1.2 https://www.stunnel.org/pipermail/stunnel-users/2013-February/004112.html

Cipher Security: How to harden TLS and SSH https://www.linuxjournal.com/content/cipher-security-how-harden-tls-and-ssh

ciphers https://www.openssl.org/docs/manmaster/man1/ciphers.html

Security/Server Side TLS https://wiki.mozilla.org/Security/Server_Side_TLS

Recommendations for TLS/SSL Cipher Hardening https://securityboulevard.com/2018/04/recommendations-for-tls-ssl-cipher-hardening/

Recommendations: SSL/TLS Protocols and Cipher Suites https://grok.lsu.edu/Article.aspx?articleid=17596

Recommendations for TLS/SSL Cipher Hardening https://www.acunetix.com/blog/articles/tls-ssl-cipher-hardening/


Nethence | Pub | Lab | Pbraun | SNE Russia | xhtml