I spent a couple of weeks trying to get different flavours of TLS to work with an LDAP server, as part of client certificate authentication. Although I knew something of the TLS handshake before I started, I now know much more. In this blog post I’ll try to explain some of the best practices which will make your life easier, and how to avoid some of the problems.

The short answer is use the following cipher specs.

GSK_V3_CIPHER_SPECS_EXPANDED=C02C,C02B,C030,C02,1301,1302,1303

#### Backgroup

There are different levels of TLS.

- TLS 1.3 is the latest, and supports a small subset of cipher specs. The TLS 1.3 handshake is more efficient than earlier versions (fewer network flows).
- TLS 1.2 is very popular, it supports a wide selection of cipher specs, some of which are considered weak.
- TLS 1.1 and TLS 1.0 are older versions of TLS, and should no longer be used.
- SSL – this is so old, you should move to TLS 1.2 or 1.3

#### Using ciphers names and numbers.

Programs like LDAP and GSKIT refer to 4 character numbers for certificates. In the description below, I give the numbers and the names of the cipher specs.

When using GSKIT you might specify the cipher specs with an environment variable GSK..=”C02BC02F”, to specify cipher specs C02B and C02F.

There is a good openssl command

openssl ciphers -v -V

openssl ciphers -v -V high

openssl ciphers -v -V -s -tls1_3

openssl ciphers -v -V -s -tls1_2

Which lists all of the cipher specs in decreasing strength order, along with some interpretation of the values, for example

0xC0,0x2B – ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD

Shows

- 0xC0 0x2B is C02B
- ECDHE-ECDSA-AES128-GCM-SHA256 the description
- TLSv1.2 – this is applicable to TLS 1.2
- Kx – the key exchange is ECDH
- Au – the authentiation is ECDSA
- Enc – the encryption is AES -128 GCM
- Mac – the hashing value is AEAD.

*openssl ciphers -v -V high* gives the high strength values.

*openssl ciphers -v -V -s -tls1_3* gives the TLS 1.3 cipher specs.

### TLS 1.3

This is easy. The people who developed this selected only a few, strong cipher specs.

- 1301 TLS_AES_128_GCM_SHA256
- 1302 TLS_AES_256_GCM_SHA384
- 1303 TLS_CHACHA20_POLY1305_SHA256

TLS 1.3 uses Elliptic Curves as standard, for example Curve 25519 or secp256r1.

TLS 1.3 does not (currently) support the following

- 1304 TLS_AES_128_CCM_SHA256
- 1305 TLS_AES_128_CCM_8_SHA256.

### TLS 1.2

There is a big list of supported cipher specs. The recommended list is a much smaller list.

The cipher spec name has several parts

- The handshake protocol
- The authentication(certificate) type
- The technique for symmetric encryption
- The technique for doing checksum, ( hash or MAC)

From my own investigation, and searching the internet, I have found the following guidance.

#### Authentication(Certificate) type

You can create certificates with certificate types of RSA or Digital Signature Algorithm(DSA), Elliptic Curve (and DSA).

I recommend having an Elliptic Curve (+DSA) certificate as the server certificate because it is stronger and better than the others.

This means using cipher specs like TLS_…_ECDSA_WITH….

#### Handshake prototols

- Diffie-Hellman is better than RSA.
- Use TLS_ECDH… over TLS_DH… (Diffie-Hellman using Elliptic Curve)
- Use TLS_ECDH
**E**_ (Elliptic Curve Diffie-Hellman with Ephemeral) over TLS_ECDH_ (Elliptic Curve Diffie-Hellman; Ephemeral is better)

This means use cipher suites

**TLS_ECDHE_ECDSA_WITH_**- TLS_ECDH_ECDSA_WITH_

#### Symmetric encryption algorithms

This is the information after the WITH_

AES is better than DES or 3DES.

Use cipher suite

- TLS_…_…_WITH_AES_256_…_…
- TLS_…_…_WITH_AES_128_…_…

#### Block data encryption

GCM is better than CCM which is better than CBC. (For example GCM calculations can exploit multiple processor pipelines whereas CBC does not exploit multiple CPUs).

AEAD ciphers include GCM and ChaCha20-Poly1305(available in TLS 1.3).

SHA384 is stronger than SHA256 which is stronger than SHA. I saw some comments that SHA384 is better than SHA512 because of problems if a bad guy changes the size of the file when SHA512 is used.

- TLS_…_…_WITH_AES_256_GCM_SHA384
- TLS_…_…_WITH_AES_128_GCM_SHA256

### List of cipher specs

Below are the cipher specs – sorted, good at the top. As a general rule, bigger numbers (C02C) are better than small numbers (0006).

The documentation usually lists the cipher specs in numerical order – which makes it hard to select the ones you need!

When you use these to specify cipher specs, put the strong ones at the front. This is because gskit takes the first acceptable cipher spec in the list, where you want the strongest acceptable cipher spec. If you have a weak cipher spec at the front of the list, you may use that over a more secure cipher spec. This was a major problem for me.

I found specifying the first four ( C02C,C02B,C030,C02f) and the TLS 1.3 (1301,1302,1303) worked well for me.

#### Elliptic Curve Diffie-Hellman Ephemeral, Elliptic Curve Certificate,

C02C TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

C02B TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

C030 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

C02F TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

C024 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

C023 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

C00A TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

C009 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

C008 TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA

#### Elliptic Curve Diffie-Hellman Ephemeral, RSA Certificate

C028 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

C027 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

C014 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

C013 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

C012 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA

#### Elliptic Curve Diffie-Hellman ~~Ephemeral~~, Elliptic Curve Certificate,

C02E TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384

C02D TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256

C026 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384

C025 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256

C005 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA

C004 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA

C003 TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA

#### Elliptic Curve Diffie-Hellman ~~Ephemeral~~, RSA Certificate,

C032 TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384

C031 TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256

C02A TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384

C029 TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256

C00F TLS_ECDH_RSA_WITH_AES_256_CBC_SHA

C00E TLS_ECDH_RSA_WITH_AES_128_CBC_SHA

C00D TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA

#### Diffie-Hellman Ephemeral, DSS Certificate,

00A3 TLS_DHE_DSS_WITH_AES_256_GCM_SHA384

00A2 TLS_DHE_DSS_WITH_AES_128_GCM_SHA256

006A TLS_DHE_DSS_WITH_AES_256_CBC_SHA256

0040 TLS_DHE_DSS_WITH_AES_128_CBC_SHA256

0038 TLS_DHE_DSS_WITH_AES_256_CBC_SHA

0032 TLS_DHE_DSS_WITH_AES_128_CBC_SHA

0013 TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA

0012 TLS_DHE_DSS_WITH_DES_CBC_SHA

#### Diffie-Hellman Ephemeral, RSA Certificate

009F TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

009E TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

006B TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

0067 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256

0039 TLS_DHE_RSA_WITH_AES_256_CBC_SHA

0033 TLS_DHE_RSA_WITH_AES_128_CBC_SHA

0016 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA

0015 TLS_DHE_RSA_WITH_DES_CBC_SHA

#### Diffie-Hellman ~~Ephemeral~~, DSS Certificate,

00A1 TLS_DH_RSA_WITH_AES_256_GCM_SHA384

00A4 TLS_DH_DSS_WITH_AES_128_GCM_SHA256

00A5 TLS_DH_DSS_WITH_AES_256_GCM_SHA384

00A0 TLS_DH_RSA_WITH_AES_128_GCM_SHA256

0068 TLS_DH_DSS_WITH_AES_256_CBC_SHA256

003E TLS_DH_DSS_WITH_AES_128_CBC_SHA256

0036 TLS_DH_DSS_WITH_AES_256_CBC_SHA

0030 TLS_DH_DSS_WITH_AES_128_CBC_SHA

000D TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA

000C TLS_DH_DSS_WITH_DES_CBC_SHA

#### Diffie-Hellman Ephemeral, RSA Certificate,

0069 TLS_DH_RSA_WITH_AES_256_CBC_SHA256

003F TLS_DH_RSA_WITH_AES_128_CBC_SHA256

0037 TLS_DH_RSA_WITH_AES_256_CBC_SHA

0031 TLS_DH_RSA_WITH_AES_128_CBC_SHA

0010 TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA

000F TLS_DH_RSA_WITH_DES_CBC_SHA

#### RSA handshake RSA certificate

009D TLS_RSA_WITH_AES_256_GCM_SHA384

009C TLS_RSA_WITH_AES_128_GCM_SHA256

003D TLS_RSA_WITH_AES_256_CBC_SHA256

003C TLS_RSA_WITH_AES_128_CBC_SHA256

0035 TLS_RSA_WITH_AES_256_CBC_SHA

002F TLS_RSA_WITH_AES_128_CBC_SHA

000A TLS_RSA_WITH_3DES_EDE_CBC_SHA

0009 TLS_RSA_WITH_DES_CBC_SHA

0006 TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5

## 2 thoughts on “Which cipher specs should I use?”