Ping a Specific Port

Question

Jeroen Wiert Pluimers

Asked: 2015-07-13 07:51:49 +0800 CST2015-07-13 07:51:49 +0800 CST 2015-07-13 07:51:49 +0800 CST

Hardening web server cyphers: which cypher list to choose, or how to map between Mozilla and Hynek

772

Until now I was only aware of Hynek Schlawack's blog post on hardening web server cyphers having a relatively short list of cyphers.

But recently I found How to fix 'logjam' vulnerability in Apache (httpd) which pointing to the much longer intermediate list from Mozilla Security: Server Side TLS.

The lists are quite different, so I wonder how to map between the two.

I split both so there one cypher per line making spotting differences easier:

https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/

ECDH+AESGCM
DH+AESGCM
ECDH+AES256
DH+AES256
ECDH+AES128
DH+AES
ECDH+3DES
DH+3DES
RSA+AESGCM

https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations

ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-GCM-SHA384
DHE-RSA-AES128-GCM-SHA256
DHE-DSS-AES128-GCM-SHA256
kEDH+AESGCM
ECDHE-RSA-AES128-SHA256
ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES128-SHA
ECDHE-ECDSA-AES128-SHA
ECDHE-RSA-AES256-SHA384
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES256-SHA
ECDHE-ECDSA-AES256-SHA
DHE-RSA-AES128-SHA256
DHE-RSA-AES128-SHA
DHE-DSS-AES128-SHA256
DHE-RSA-AES256-SHA256
DHE-DSS-AES256-SHA
DHE-RSA-AES256-SHA
AES128-GCM-SHA256
AES256-GCM-SHA384
AES128-SHA256
AES256-SHA256
AES128-SHA
AES256-SHA
AES
CAMELLIA
DES-CBC3-SHA
!aNULL
!eNULL
!EXPORT
!DES
!RC4
!MD5
!PSK
!aECDH
!EDH-DSS-DES-CBC3-SHA
!EDH-RSA-DES-CBC3-SHA
!KRB5-DES-CBC3-SHA

1 Answers

Voted

Steffen Ullrich · Answer 1 · 2015-07-13T08:52:44+08:00

Best Answer

Steffen Ullrich

2015-07-13T08:52:44+08:002015-07-13T08:52:44+08:00

If you put both of these specifications into openssl ciphers -V and compare you will find that:

25 ciphers are contained in both sets.
The set from Mozilla contains 6 SRP (secure remote password) ciphers which are not supported by the browsers. It also contains 7 ciphers using CAMELIA. I don't know which browser supports these ciphers but according to SSLLabs none of the major desktop browsers offers it. The rest are DSS ciphers which you only need if you have a certificate using a DSA key. Usually certificates use RSA and sometimes ECDSA.
The set from Hynek includes instead some more RSA and ECDSA ciphers.

In my opinion the set from Hynek makes more sense, especially since the ciphers only in the set from Mozilla are usually not supported by either the browser or the servers certificate anyway.

2

Hardening web server cyphers: which cypher list to choose, or how to map between Mozilla and Hynek

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?