AnsweredAssumed Answered

Recommended cipher suite for TLS v1.1+ clients?

Question asked by Michał Staruch on Jan 30, 2015
Latest reply on Jun 12, 2015 by Lily Wilson

Hi there.


First thing is AESGCM. I've noticed in quite a few places that AESGCM comes first on recommended cipher priority list for HTTPS servers. I am not cipher expert, but I've observed two things:

1. Lack of support for AES256-GCM in browsers as of today, resulting in capping at AES128-GCM.

2. Weakness of AES128-GCM described in "Cycling Attacks on GCM, GHASH and Other Polynomial MACs and Hashes" publication by Markku-Juhani O. Saarinen (available here: Key part is "We performed an exhaustive experiment that found many AES-128 keys that produce H with order below n 2≈96.".

Currently Qualys recommended settings ( result in most browsers picking AES128 in GCM mode over AES256 in CBC, while reports like ECRYPT II (part related to algorithms and keysizes is available here: suggest to avoid AES-GCM for protocols like TLS.

Another thing is that TLS 1.3 (draft here: proposed to ban non-AEAD ciphers, which would lock most browsers to AES128-GCM if they stayed at currently supported cipher list.

Then we have ECDSA vs aRSA. Documents like "Applied Crypto Hardening" (draft available here: always prioritize aRSA and explicitly disable ECDSA whenever possible. Time to time we hear about flawed ECDSA implementations (Sony PS3, Android SecureRandom, OpenSSL prior to 1.0.0e), and I never heard about any serious RSA issue, so I guess it's right decision, too.

So, to summarize my concerns:

Q1: Should AESGCM stay on top of cipher priority list for TLS v1.1 and v1.2?

Q2: Should ECDSA have higher priority than aRSA?

Q3: What cipher suite would you recommend to use in 2015 for HTTPS server, assuming we want to support only TLS v1.1 and TLS v1.2 clients?

Q4: What cipher suite would you recommend for TLS v1.3, when it's available. Is there any 256-bit AEAD cipher we could expect to be supported in browsers, without any known flaws?


I would appreciate opinions of cipher experts, especially those living in free countries (out of NSA reach).