I spent a couple of weeks trying to get different flavours of TLS to work with an LDAP server, as part of client certificate authentication. Although I knew something of the TLS handshake before I started, I now know much more. In this blog post I’ll try to explain some of the best practices which will make your life easier, and how to avoid some of the problems.
The short answer is use the following cipher specs.
GSK_V3_CIPHER_SPECS_EXPANDED=C02C,C02B,C030,C02,1301,1302,1303
Backgroup
There are different levels of TLS.
- TLS 1.3 is the latest, and supports a small subset of cipher specs. The TLS 1.3 handshake is more efficient than earlier versions (fewer network flows).
- TLS 1.2 is very popular, it supports a wide selection of cipher specs, some of which are considered weak.
- TLS 1.1 and TLS 1.0 are older versions of TLS, and should no longer be used.
- SSL – this is so old, you should move to TLS 1.2 or 1.3
Using ciphers names and numbers.
Programs like LDAP and GSKIT refer to 4 character numbers for certificates. In the description below, I give the numbers and the names of the cipher specs.
When using GSKIT you might specify the cipher specs with an environment variable GSK..=”C02BC02F”, to specify cipher specs C02B and C02F.
There is a good openssl command
openssl ciphers -v -V
openssl ciphers -v -V high
openssl ciphers -v -V -s -tls1_3
openssl ciphers -v -V -s -tls1_2
Which lists all of the cipher specs in decreasing strength order, along with some interpretation of the values, for example
0xC0,0x2B – ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD
Shows
- 0xC0 0x2B is C02B
- ECDHE-ECDSA-AES128-GCM-SHA256 the description
- TLSv1.2 – this is applicable to TLS 1.2
- Kx – the key exchange is ECDH
- Au – the authentiation is ECDSA
- Enc – the encryption is AES -128 GCM
- Mac – the hashing value is AEAD.
openssl ciphers -v -V high gives the high strength values.
openssl ciphers -v -V -s -tls1_3 gives the TLS 1.3 cipher specs.
TLS 1.3
This is easy. The people who developed this selected only a few, strong cipher specs.
- 1301 TLS_AES_128_GCM_SHA256
- 1302 TLS_AES_256_GCM_SHA384
- 1303 TLS_CHACHA20_POLY1305_SHA256
TLS 1.3 uses Elliptic Curves as standard, for example Curve 25519 or secp256r1.
TLS 1.3 does not (currently) support the following
- 1304 TLS_AES_128_CCM_SHA256
- 1305 TLS_AES_128_CCM_8_SHA256.
TLS 1.2
There is a big list of supported cipher specs. The recommended list is a much smaller list.
The cipher spec name has several parts
- The handshake protocol
- The authentication(certificate) type
- The technique for symmetric encryption
- The technique for doing checksum, ( hash or MAC)
From my own investigation, and searching the internet, I have found the following guidance.
Authentication(Certificate) type
You can create certificates with certificate types of RSA or Digital Signature Algorithm(DSA), Elliptic Curve (and DSA).
I recommend having an Elliptic Curve (+DSA) certificate as the server certificate because it is stronger and better than the others.
This means using cipher specs like TLS_…_ECDSA_WITH….
Handshake prototols
- Diffie-Hellman is better than RSA.
- Use TLS_ECDH… over TLS_DH… (Diffie-Hellman using Elliptic Curve)
- Use TLS_ECDHE_ (Elliptic Curve Diffie-Hellman with Ephemeral) over TLS_ECDH_ (Elliptic Curve Diffie-Hellman; Ephemeral is better)
This means use cipher suites
- TLS_ECDHE_ECDSA_WITH_
- TLS_ECDH_ECDSA_WITH_
Symmetric encryption algorithms
This is the information after the WITH_
AES is better than DES or 3DES.
Use cipher suite
- TLS_…_…_WITH_AES_256_…_…
- TLS_…_…_WITH_AES_128_…_…
Block data encryption
GCM is better than CCM which is better than CBC. (For example GCM calculations can exploit multiple processor pipelines whereas CBC does not exploit multiple CPUs).
AEAD ciphers include GCM and ChaCha20-Poly1305(available in TLS 1.3).
SHA384 is stronger than SHA256 which is stronger than SHA. I saw some comments that SHA384 is better than SHA512 because of problems if a bad guy changes the size of the file when SHA512 is used.
- TLS_…_…_WITH_AES_256_GCM_SHA384
- TLS_…_…_WITH_AES_128_GCM_SHA256
List of cipher specs
Below are the cipher specs – sorted, good at the top. As a general rule, bigger numbers (C02C) are better than small numbers (0006).
The documentation usually lists the cipher specs in numerical order – which makes it hard to select the ones you need!
When you use these to specify cipher specs, put the strong ones at the front. This is because gskit takes the first acceptable cipher spec in the list, where you want the strongest acceptable cipher spec. If you have a weak cipher spec at the front of the list, you may use that over a more secure cipher spec. This was a major problem for me.
I found specifying the first four ( C02C,C02B,C030,C02f) and the TLS 1.3 (1301,1302,1303) worked well for me.
Elliptic Curve Diffie-Hellman Ephemeral, Elliptic Curve Certificate,
C02C TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
C02B TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
C030 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
C02F TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
C024 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
C023 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
C00A TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
C009 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
C008 TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
Elliptic Curve Diffie-Hellman Ephemeral, RSA Certificate
C028 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
C027 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
C014 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
C013 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
C012 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
Elliptic Curve Diffie-Hellman Ephemeral, Elliptic Curve Certificate,
C02E TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
C02D TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
C026 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
C025 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
C005 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
C004 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
C003 TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
Elliptic Curve Diffie-Hellman Ephemeral, RSA Certificate,
C032 TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
C031 TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
C02A TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
C029 TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
C00F TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
C00E TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
C00D TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
Diffie-Hellman Ephemeral, DSS Certificate,
00A3 TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
00A2 TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
006A TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
0040 TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
0038 TLS_DHE_DSS_WITH_AES_256_CBC_SHA
0032 TLS_DHE_DSS_WITH_AES_128_CBC_SHA
0013 TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
0012 TLS_DHE_DSS_WITH_DES_CBC_SHA
Diffie-Hellman Ephemeral, RSA Certificate
009F TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
009E TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
006B TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
0067 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
0039 TLS_DHE_RSA_WITH_AES_256_CBC_SHA
0033 TLS_DHE_RSA_WITH_AES_128_CBC_SHA
0016 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
0015 TLS_DHE_RSA_WITH_DES_CBC_SHA
Diffie-Hellman Ephemeral, DSS Certificate,
00A1 TLS_DH_RSA_WITH_AES_256_GCM_SHA384
00A4 TLS_DH_DSS_WITH_AES_128_GCM_SHA256
00A5 TLS_DH_DSS_WITH_AES_256_GCM_SHA384
00A0 TLS_DH_RSA_WITH_AES_128_GCM_SHA256
0068 TLS_DH_DSS_WITH_AES_256_CBC_SHA256
003E TLS_DH_DSS_WITH_AES_128_CBC_SHA256
0036 TLS_DH_DSS_WITH_AES_256_CBC_SHA
0030 TLS_DH_DSS_WITH_AES_128_CBC_SHA
000D TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA
000C TLS_DH_DSS_WITH_DES_CBC_SHA
Diffie-Hellman Ephemeral, RSA Certificate,
0069 TLS_DH_RSA_WITH_AES_256_CBC_SHA256
003F TLS_DH_RSA_WITH_AES_128_CBC_SHA256
0037 TLS_DH_RSA_WITH_AES_256_CBC_SHA
0031 TLS_DH_RSA_WITH_AES_128_CBC_SHA
0010 TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA
000F TLS_DH_RSA_WITH_DES_CBC_SHA
RSA handshake RSA certificate
009D TLS_RSA_WITH_AES_256_GCM_SHA384
009C TLS_RSA_WITH_AES_128_GCM_SHA256
003D TLS_RSA_WITH_AES_256_CBC_SHA256
003C TLS_RSA_WITH_AES_128_CBC_SHA256
0035 TLS_RSA_WITH_AES_256_CBC_SHA
002F TLS_RSA_WITH_AES_128_CBC_SHA
000A TLS_RSA_WITH_3DES_EDE_CBC_SHA
0009 TLS_RSA_WITH_DES_CBC_SHA
0006 TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
ColinPaice 
2 thoughts on “Which cipher specs should I use?”