AnsweredAssumed Answered

Guidance on ordering cipher suites

Question asked by David Hollenberg on Apr 29, 2014
Latest reply on May 5, 2014 by BoerenkoolMetWorst

I am looking for guidance on ordering cipher suites from most secure to least secure.
I'm using Apache 2.2.x with latest OpenSSL 1.0.1g with SSLHonorCipherOrder On.
Ephemeral Diffie Hellman keys are limited to 1024 bits (because we can't upgrade to
Apache 2.4.7 yet).

 

Specifically:

 

1. Would TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 be preferred to
   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256?  The former uses Galois
   Counter mode    but uses only a 1024-bit ephemeral DH key, due to
   our use of Apache 2.2.  The latter does not use Galois Counter
   Mode but has a stronger ephemeral key for key exchange and is
   apparently faster.

 

2. Would TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 be preferred to
   TLS_RSA_WITH_AES_128_CBC_SHA256?  The former has Forward Secrecy
   but only a 1024-bit ephemeral DH key.  The latter uses a 2048-bit
   RSA key (in our case) but does not provide Forward Secrecy.

 

3. Is CAMELLIA as strong as AES for the same key length?  Is it secure?
   Any reason not to offer it?

 

4. Would TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA be preferred to
   TLS_RSA_WITH_AES_128_CBC_SHA?  The former has Forward Secrecy but
   only a 1024-bit ephemeral DH key and only uses 3DES.  The latter
   has no Forward Secrecy but uses a 2048-bit RSA key (in our case)
   and AES.

Outcomes