Webserver cipher hardening links
Posted by jpluimers on 2016/08/26
There are quite a few pages on Webserver Cypher Hardening. This is yet another one born because I didn’t know how to compare these lists and why they were so different.
Apparently, OpenSSL has various ways of naming (groups of) cyphers. OpenSSL also disregards any cyphers it doesn’t have.
Basically there are two far ends for cypher lists:
- Fully name all cyphers and their order: long list fine grained control
- Name groups including group order and let OpenSSL expand the groups: short list but coarse grained control.
A way to compere them using openssl ciphers -V is answered at ssl – Hardening web server cyphers: which cypher list to choose, or how to map between Mozilla and Hynek – Server Fault.
Some of the cypher lists I found:
- Long: Hardening Your Web Server’s SSL Ciphers — Hynek Schlawack.
- Short: Security/Server Side TLS – MozillaWiki.
- Shorter, explanation of BEAST: Strong SSL Security on nginx – Raymii.org.
- Long, explanation of BEAST: Building a hardened, feature-rich webserver | BSD Now.
- Table: Recommendations for TLS/SSL Cipher Hardening – Acunetix.
There are two great SSL tests I found out. The first one is online, the second one from the shell.
- SSL Labs:
- shell based SSL/TLS tester: testssl.sh.
- Github drwetter/testssl.sh.
–jeroen
The Wiert Corner - irregular stream of stuff 
Leave a comment