Which cipher suites are you using?

dutchbb

dutchbb

Well-known member
Default cpanel one is of no use with older browsers. Also enabled sever prefered order and HSTS.


This one was already on, also for mail (no idea how it got there):
Code: 
ECDHE-RSA-AES128-GCM-SHA256:
ECDHE-ECDSA-AES128-GCM-SHA256:
ECDHE-RSA-AES256-GCM-SHA384:
ECDHE-ECDSA-AES256-GCM-SHA384:
DHE-RSA-AES128-GCM-SHA256:
DHE-DSS-AES128-GCM-SHA256:
kEDH+AESGCM:
ECDHE-RSA-AES128-SHA256:
ECDHE-ECDSA-AES128-SHA256:
ECDHE-RSA-AES128-SHA:
ECDHE-ECDSA-AES128-SHA:
ECDHE-RSA-AES256-SHA384:
ECDHE-ECDSA-AES256-SHA384:
ECDHE-RSA-AES256-SHA:
ECDHE-ECDSA-AES256-SHA:
DHE-RSA-AES128-SHA256:
DHE-RSA-AES128-SHA:
DHE-DSS-AES128-SHA256:
DHE-RSA-AES256-SHA256:
DHE-DSS-AES256-SHA:
DHE-RSA-AES256-SHA:
AES128-GCM-SHA256:
AES256-GCM-SHA384:
AES128-SHA256:
AES256-SHA256:
AES128-SHA:
AES256-SHA:
AES:
CAMELLIA:
DES-CBC3-SHA:
!aNULL:
!eNULL:
!EXPORT:
!DES:
!RC4:
!MD5:
!PSK:
!aECDH:
!EDH-DSS-DES-CBC3-SHA:
!EDH-RSA-DES-CBC3-SHA:
!KRB5-DES-CBC3-SHA


Ten i installed this recomended from SSL Labs, but some people could't connect (windows 7 with chrome 61 for example strange enough). For older browsers without Forward Secrecy of no use i think (DHE):
Code: 
ECDHE-ECDSA-AES128-GCM-SHA256:
ECDHE-ECDSA-AES256-GCM-SHA384:
ECDHE-ECDSA-AES128-SHA:
ECDHE-ECDSA-AES256-SHA:
ECDHE-ECDSA-AES128-SHA256:
ECDHE-ECDSA-AES256-SHA384:
ECDHE-RSA-AES128-GCM-SHA256:
ECDHE-RSA-AES256-GCM-SHA384:
ECDHE-RSA-AES128-SHA:
ECDHE-RSA-AES256-SHA:
ECDHE-RSA-AES128-SHA256:
ECDHE-RSA-AES256-SHA384:
DHE-RSA-AES128-GCM-SHA256:
DHE-RSA-AES256-GCM-SHA384:
DHE-RSA-AES128-SHA:
DHE-RSA-AES256-SHA:
DHE-RSA-AES128-SHA256:
DHE-RSA-AES256-SHA256


So i swithed to the cpanel sever cipher, that worked but some unnecessary ciphers in it:
Code: 
ECDHE-ECDSA-CHACHA20-POLY1305:
ECDHE-RSA-CHACHA20-POLY1305:
ECDHE-ECDSA-AES128-GCM-SHA256:
ECDHE-RSA-AES128-GCM-SHA256:
ECDHE-ECDSA-AES256-GCM-SHA384:
ECDHE-RSA-AES256-GCM-SHA384:
DHE-RSA-AES128-GCM-SHA256:
DHE-RSA-AES256-GCM-SHA384:
ECDHE-ECDSA-AES128-SHA256:
ECDHE-RSA-AES128-SHA256:
ECDHE-ECDSA-AES128-SHA:
ECDHE-RSA-AES256-SHA384:
ECDHE-RSA-AES128-SHA:
ECDHE-ECDSA-AES256-SHA384:
ECDHE-ECDSA-AES256-SHA:
ECDHE-RSA-AES256-SHA:
DHE-RSA-AES128-SHA256:
DHE-RSA-AES128-SHA:
DHE-RSA-AES256-SHA256:
DHE-RSA-AES256-SHA:
AES128-GCM-SHA256:
AES256-GCM-SHA384:
AES128-SHA256:
AES256-SHA256:
AES128-SHA:
AES256-SHA:!DSS


Changed that to this one without DHE (RSA instead) and enabled for all browser. Also ie8 on xp (yes some people still use that) ,not recommeded (weak cipher -> last one in list). Is the same as google has. ECDSA is not activated on server so not used, same for chacha20/poly1305.
Code: 
ECDHE-ECDSA-AES128-GCM-SHA256:
ECDHE-ECDSA-CHACHA20-POLY1305:
ECDHE-ECDSA-AES256-GCM-SHA384:
ECDHE-ECDSA-AES128-SHA:
ECDHE-ECDSA-AES256-SHA:
ECDHE-RSA-AES128-GCM-SHA256:
ECDHE-RSA-CHACHA20-POLY1305:
ECDHE-RSA-AES256-GCM-SHA384:
ECDHE-RSA-AES128-SHA:
ECDHE-RSA-AES256-SHA:
AES128-GCM-SHA256:
AES256-GCM-SHA384:
AES128-SHA:
AES256-SHA:
DES-CBC3-SHA

Some things i use to check:
https://wiki.openssl.org/index.php/Manual:Ciphers(1) (for converting)
http://help.fortinet.com/fweb/554/Content/FortiWeb/fortiweb-admin/supported_cipher_suites.htm (tips, like how enabling ChaCha-Poly1305)
https://tls.imirhil.fr/ciphers (extra check)

And SSL Labs ofcource:
https://www.ssllabs.com/ssltest/index.html
 
Last edited:
You must log in or register to reply here.

Similar threads

Kevin
For those using subscriptions, what are you using to list features available to subscribers?
Replies
6
Views
639
Alternadiv
Alternadiv
djbaxter
PHP-FPM: are you using it? Why or why not?
Replies
5
Views
3K
Cupara
Cupara
AndrewSimm
How are you using tags?
Replies
19
Views
2K
80sDude
80sDude
B
Which advertising provider are you using for your big board?
Replies
0
Views
345
Bram
B
Brent W
How are you using the API in 2.1 with Wordpress?
Replies
9
Views
2K
briansol
B
Top Bottom