"Optimal" Web Server SSL Cipher Suite Configuration
The most secure setup doesn't depend only on ciphers, but also on the tls-version used. For openssl, tls 1.1/1.2 is preferred. BEAST and CRIME are attacks on the client and are usually mitigated client-side, but there are server-side mitigations too:
- CRIME: just disable ssl-compression; that's it
- BEAST/Lucky13: just use TLS 1.1, no SSLv3 and no RC4, see Is BEAST Still a Threat? (Ivan Ristic)
- BREACH: works only, if some conditions are met, see breachattack.com; easy and always-working mitigation would be to disbale http-compression (gzip)
For a perfect setup: SSL always impacts performance on a high level, RC4 and other fast cipher-suites might still be ok for static content, esp. when served from your own cdn.
A nice guide to understanding OpenSSL is OpenSSL Cookbook with detailed explanations also on PFS, cipher-suites, tls-version etc. pp. there are 2 blogposts that explains PFS and practical setup:
- SSL Labs: Deploying Forward Secrecy
- Configuring Apache, Nginx, and OpenSSL for Forward Secrecy
cipher-suites-suggestions to enable PFS also on older clients:
# apache
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 \
EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 \
EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
# nginx
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 \
EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 \
EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
For a detailed nginx/ssl-manual I'd like to direct you to this Guide to Nginx + SSL + SPDY.
In the year since this answer was written, Mozilla's guide has been updated regularly. All of my reservations below have been taken into account, and I recommend the guide wholeheartedly.
I recommend that you read Mozilla's Server Side TLS guide. It's comprehensive, and they are especially careful about compatibility with old clients, sometimes to the detriment of security. (After all, IE 6 users deserve to be able to download Firefox.) I would like to emphasize several things:
Supporting Windows XP/IE 6 is not optimal. I suggest you drop it if possible. It requires SSL 3.0, which leaves decent clients open to downgrade attacks. Edit: Anti-weakpasswords reports in the comments above that IE 6 can support TLS 1.0. I have no idea what percentage of IE 6 clients support it or have it enabled, though.
Supporting XP/IE 8 isn't bad. It supports TLS 1.0, though its best cipher suite is
DES-CBC3-SHA
and it doesn't support perfect forward secrecy or SNI. (Its second-best cipher suites areRC4-SHA
andRC4-MD5
. 3DES is very slow, but RC4 has security issues. Avoid it if possible.)2048-bit Diffie-Hellman parameters are best from a security point of view, but Java 6 only supports 1024-bit parameters. Common 1024-bit parameters may or may not have been broken by NSA supercomputers, but 1024-bit DH is otherwise more or less safe for now. You might need to use it. (Java 7 supports ECDHE, bypassing the whole issue of DHE parameter size.)
Mozilla's primary cipher suite list includes RC4. As above, I recommend the list from the RC4 weaknesses section that uses 3DES instead.
Mozilla's configuration examples enable SSL 3.0. As I said, I would discourage that.
Mozilla's configuration examples mainly recommend 2048-bit DH parameters, but they also give 1024 as an option.
Of course, the first step is to keep OpenSSL (or the library you use) up to date.
But as new vulnerabilities are discovered and browsers are upgraded, the answers here can (will) become outdated. I'd suggest you rely on the Mozilla SSL Configuration Generator to check which configuration you should use.