Back in 2016 I documented how to get an A+ TLS score.
With minor changes this still works.
But times have changed. In particular older versions of TLS aren’t good; at a very least you must support nothing less than TLS1.2.
Consequences of limiting to TLS 1.2 or better
If you set your server to deny anything less than TLS 1.2 then sites like SSLlab tell us that older clients can no longer connect.
Android 2.3.7 Android 4.0.4, 4.1.1, 4.2.2, 4.3 Baidu Jan 2015 IE 6 / XP IE 7 / Vista IE 8 / XP IE 8-10 / Win 7 IE 10 / Win Phone 8.0 Java 6u45, 7u25 OpenSSL 0.9.8y Safari 5.1.9 / OS X 10.6.8 Safari 6.0.4 / OS X 10.8.4
Now these are very old. We know that Win7 is still popular, so should we worry? Not so much; IE 11 on Win7 can support TLS1.2.
So I think it’s reasonable to disable anything lower.
We also see that SSLlabs flag CBC ciphers as weak. Now this is debatable. CBC isn’t necessarily weak. But it’s historically had a lot of bad implementations, leading to variations of POODLE attacks (amongst others). It’s kinda expected that there will be yet another variation of POODLE on CBC. So SSLlabs flag these ciphers as weak, as an encouragement to move people off and onto stronger ciphers.
Unfortunately, it turns out there aren’t that many! At least not if you’re using RSA certs (which most people do).
In Apache/OpenSSL terms these ciphers are pretty much the only good ones:
ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384
Yes, that’s it. 4 of them.
If you run this through SSLlabs then it’ll be strong, but a number of clients won’t be able to connect.
IE 11 / Win Phone 8.1 Safari 6 / iOS 6.0.1 Safari 7 / iOS 7.1 Safari 7 / OS X 10.9 Safari 8 / iOS 8.4 Safari 8 / OS X 10.10
(Notice IE11/Win7 isn’t on that list; it’ll happily do secure ciphers).
You need to decide if you want to support these older clients. If you do then these two CBC ciphers will make everything work:
Yes, these get flagged as weak, but now every client that supports TLS1.2 should work.
In an enterprise environment the client rarely talks directly to the server, especially not over the internet. There may be load balancers or WAFs in the path and these may be the ones that terminate the TLS connection. So their configuration is important.
In particular, F5’s BigIP servers can only do DH key exchange on 1024 bit keys. Which is considered weak. 2048bit is the minimum. Their rationale is that 2048bit keys require 5 times the computation than 1024bit keys. Which makes me wonder if the “big” in “BigIP” is now valid!
This is a problem. We have to choose between weak key sizes or potentially weak ciphers. In this scenario I recommend enabling CBC mode and ensuring you’re always on top of all patches; if a new POODLE variant is discovered, patch ASAP!
For my CentOS 7 Apache servers I now have the following configuration:
SSLProtocol TLSv1.2 SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256
SSLlabs tells me this results in:
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH secp256r1 (eq. 3072 bits RSA) FS 128 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH secp256r1 (eq. 3072 bits RSA) FS 256 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) DH 4096 bits FS 128 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) DH 4096 bits FS 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK 256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK 128
All the ciphers have forward secrecy, all are at least 128bit in strength, and all the clients that support TLS1.2 will connect.
Note the DH key is 4096bits in size. Why can’t BigIP support that?!