AnsweredAssumed Answered

Perfect Cipher Suite order for IIS 10

Question asked by Daniel M. on Mar 12, 2016
Latest reply on Mar 22, 2016 by Rob Moss

Hi all

 

I'm currently creating a standard for our team in regards to Cipher Suite order for IIS10, my current proposal looks as follows. We are only using RSA certificates, therefore ECDSA was removed entirely. The principals are in the following order:

  • Forward Secrecy over Non-FS
  • GCM over CBC
  • ECDHE_RSA over DHE_RSA
  • SHAxxx over SHA
  • 256-bit over 128-bit

 

 

IIS 10 (Windows Server 2016)

  'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384_P521',

  'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384_P384',

  'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256_P521',

  'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256_P384',

  'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256_P256',

  'TLS_DHE_RSA_WITH_AES_256_GCM_SHA384',

  'TLS_DHE_RSA_WITH_AES_128_GCM_SHA256',

  'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521',

  'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384',

  'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256',

  'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521',

  'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384',

  'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256',

  'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521',

  'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384',

  'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256',

  'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521',

  'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384',

  'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256',

  'TLS_RSA_WITH_AES_256_GCM_SHA384',

  'TLS_RSA_WITH_AES_128_GCM_SHA256',

  'TLS_RSA_WITH_AES_256_CBC_SHA256',

  'TLS_RSA_WITH_AES_128_CBC_SHA256',

  'TLS_RSA_WITH_AES_256_CBC_SHA',

  'TLS_RSA_WITH_AES_128_CBC_SHA',

  'TLS_RSA_WITH_3DES_EDE_CBC_SHA'

 

DHE_RSA on Windows Server 2016 was upped to 2048bit, therefore I'm preferring TLS_DHE_RSA (GCM) over TLS_ECDHE_RSA (CBC), this ensures that some browsers (IE11 on Win7/8, WP8.1) use GCM with FS, instead of CBC.


I also know that some people think that AES 128 GCM is stronger than AES 256 GCM. I have not taken that into account and prefer 256bit over 128bit

 

What do you guys think about this ordering? The two main questions I have are

- Is it reasonable to prefer SHAxxx over SHA before 256-bit over 128-bit? (Microsoft does this now by default with Windows Server 2016)

- Would you get rid of the DHE_RSA ciphers on IIS 10, or would you say that it's worth to be able to use GCM instead of CBC for more browsers?

 

Any other feedback is also welcome

Outcomes