AnsweredAssumed Answered

IIS 8.5 Recommended Cipher Suites

Question asked by Kaipo A on Mar 31, 2015
Latest reply on Mar 31, 2015 by Lily Wilson

Hello,

 

I've started reading Ivan's OpenSSL Cookbook (great book) and on pages 33 & 34 there is a recommended cipher configuration for OpenSSL. I'm trying to configure my Windows Server 2012 R2 IIS 8.5 using this list as a reference. Is my list of ciphers further down a good mix of security and performance?

Here is his list:

OpenSSL Cookbook pg. 33

ECDHE-ECDSA-AES128-GCM-SHA256

ECDHE-ECDSA-AES256-GCM-SHA384

ECDHE-ECDSA-AES128-SHA

ECDHE-ECDSA-AES256-SHA

ECDHE-ECDSA-AES128-SHA256

ECDHE-ECDSA-AES256-SHA384

ECDHE-RSA-AES128-GCM-SHA256

ECDHE-RSA-AES256-GCM-SHA384

ECDHE-RSA-AES128-SHA

ECDHE-RSA-AES256-SHA

ECDHE-RSA-AES128-SHA256

ECDHE-RSA-AES256-SHA384

DHE-RSA-AES128-GCM-SHA256

DHE-RSA-AES256-GCM-SHA384

DHE-RSA-AES128-SHA

DHE-RSA-AES256-SHA

DHE-RSA-AES128-SHA256

DHE-RSA-AES256-SHA256

EDH-RSA-DES-CBC3-SHA

His list continues onward for supporting older clients which I'm not interested in for this post.

 

I've been using Nartac's IIS Crypto's "best practice" to configure my supported ciphers and the preferred order which has and is working great. But I'd like to support more ciphers if possible and have better performance. So here is my ordered list of ciphers for use with IIS8.5. The "-->" arrows next to the cipher mean they are from the "recommended" list above, if there isn't an arrow it means I added the cipher because I wasn't sure where it should go in the list.

 

Modified Ciphers List

-->TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521

-->TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521

-->TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521

-->TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521

-->TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521

-->TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521

-->TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521

-->TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521

-->TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521

-->TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521

-->TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

-->TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

 

In addition to the above, here are some additional ciphers from the Nartac best practice in the order they prefer. Should the TLS_RSA_WITH_AES_* be reordered by HMAC like the lists above? I've struck through the top two suites due to the potential problems with MS14-066.

Additional Ciphers

TLS_RSA_WITH_AES_256_GCM_SHA384

TLS_RSA_WITH_AES_128_GCM_SHA256

TLS_RSA_WITH_AES_256_CBC_SHA256

TLS_RSA_WITH_AES_256_CBC_SHA

TLS_RSA_WITH_AES_128_CBC_SHA256

TLS_RSA_WITH_AES_128_CBC_SHA

TLS_RSA_WITH_3DES_EDE_CBC_SHA

Outcomes