• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Which cipher suites are you using?

dutchbb

Well-known member
#1
Default cpanel one is of no use with older browsers. Also enabled sever prefered order and HSTS.


This one was already on, also for mail (no idea how it got there):
Code:
ECDHE-RSA-AES128-GCM-SHA256:
ECDHE-ECDSA-AES128-GCM-SHA256:
ECDHE-RSA-AES256-GCM-SHA384:
ECDHE-ECDSA-AES256-GCM-SHA384:
DHE-RSA-AES128-GCM-SHA256:
DHE-DSS-AES128-GCM-SHA256:
kEDH+AESGCM:
ECDHE-RSA-AES128-SHA256:
ECDHE-ECDSA-AES128-SHA256:
ECDHE-RSA-AES128-SHA:
ECDHE-ECDSA-AES128-SHA:
ECDHE-RSA-AES256-SHA384:
ECDHE-ECDSA-AES256-SHA384:
ECDHE-RSA-AES256-SHA:
ECDHE-ECDSA-AES256-SHA:
DHE-RSA-AES128-SHA256:
DHE-RSA-AES128-SHA:
DHE-DSS-AES128-SHA256:
DHE-RSA-AES256-SHA256:
DHE-DSS-AES256-SHA:
DHE-RSA-AES256-SHA:
AES128-GCM-SHA256:
AES256-GCM-SHA384:
AES128-SHA256:
AES256-SHA256:
AES128-SHA:
AES256-SHA:
AES:
CAMELLIA:
DES-CBC3-SHA:
!aNULL:
!eNULL:
!EXPORT:
!DES:
!RC4:
!MD5:
!PSK:
!aECDH:
!EDH-DSS-DES-CBC3-SHA:
!EDH-RSA-DES-CBC3-SHA:
!KRB5-DES-CBC3-SHA

Ten i installed this recomended from SSL Labs, but some people could't connect (windows 7 with chrome 61 for example strange enough). For older browsers without Forward Secrecy of no use i think (DHE):
Code:
ECDHE-ECDSA-AES128-GCM-SHA256:
ECDHE-ECDSA-AES256-GCM-SHA384:
ECDHE-ECDSA-AES128-SHA:
ECDHE-ECDSA-AES256-SHA:
ECDHE-ECDSA-AES128-SHA256:
ECDHE-ECDSA-AES256-SHA384:
ECDHE-RSA-AES128-GCM-SHA256:
ECDHE-RSA-AES256-GCM-SHA384:
ECDHE-RSA-AES128-SHA:
ECDHE-RSA-AES256-SHA:
ECDHE-RSA-AES128-SHA256:
ECDHE-RSA-AES256-SHA384:
DHE-RSA-AES128-GCM-SHA256:
DHE-RSA-AES256-GCM-SHA384:
DHE-RSA-AES128-SHA:
DHE-RSA-AES256-SHA:
DHE-RSA-AES128-SHA256:
DHE-RSA-AES256-SHA256

So i swithed to the cpanel sever cipher, that worked but some unnecessary ciphers in it:
Code:
ECDHE-ECDSA-CHACHA20-POLY1305:
ECDHE-RSA-CHACHA20-POLY1305:
ECDHE-ECDSA-AES128-GCM-SHA256:
ECDHE-RSA-AES128-GCM-SHA256:
ECDHE-ECDSA-AES256-GCM-SHA384:
ECDHE-RSA-AES256-GCM-SHA384:
DHE-RSA-AES128-GCM-SHA256:
DHE-RSA-AES256-GCM-SHA384:
ECDHE-ECDSA-AES128-SHA256:
ECDHE-RSA-AES128-SHA256:
ECDHE-ECDSA-AES128-SHA:
ECDHE-RSA-AES256-SHA384:
ECDHE-RSA-AES128-SHA:
ECDHE-ECDSA-AES256-SHA384:
ECDHE-ECDSA-AES256-SHA:
ECDHE-RSA-AES256-SHA:
DHE-RSA-AES128-SHA256:
DHE-RSA-AES128-SHA:
DHE-RSA-AES256-SHA256:
DHE-RSA-AES256-SHA:
AES128-GCM-SHA256:
AES256-GCM-SHA384:
AES128-SHA256:
AES256-SHA256:
AES128-SHA:
AES256-SHA:!DSS

Changed that to this one without DHE (RSA instead) and enabled for all browser. Also ie8 on xp (yes some people still use that) ,not recommeded (weak cipher -> last one in list). Is the same as google has. ECDSA is not activated on server so not used, same for chacha20/poly1305.
Code:
ECDHE-ECDSA-AES128-GCM-SHA256:
ECDHE-ECDSA-CHACHA20-POLY1305:
ECDHE-ECDSA-AES256-GCM-SHA384:
ECDHE-ECDSA-AES128-SHA:
ECDHE-ECDSA-AES256-SHA:
ECDHE-RSA-AES128-GCM-SHA256:
ECDHE-RSA-CHACHA20-POLY1305:
ECDHE-RSA-AES256-GCM-SHA384:
ECDHE-RSA-AES128-SHA:
ECDHE-RSA-AES256-SHA:
AES128-GCM-SHA256:
AES256-GCM-SHA384:
AES128-SHA:
AES256-SHA:
DES-CBC3-SHA
Some things i use to check:
https://wiki.openssl.org/index.php/Manual:Ciphers(1) (for converting)
http://help.fortinet.com/fweb/554/Content/FortiWeb/fortiweb-admin/supported_cipher_suites.htm (tips, like how enabling ChaCha-Poly1305)
https://tls.imirhil.fr/ciphers (extra check)

And SSL Labs ofcource:
https://www.ssllabs.com/ssltest/index.html
 
Last edited: