AnsweredAssumed Answered

about priority of cipher suites on the server!

Question asked by rom ain on May 11, 2016
Latest reply on May 24, 2016 by tlussnig


Hi !


I have several questions on the order of priority of server-side encryption suites detected during scanning Qualys SSL server.

a - How Qualys detects the priority of cipher suites the server side? What is the algorithm of detection?


b - In a SSL / TLS negotiation, how is the negotiation on the cipher: I think 1 - when the client logs on, it sends the list of cipher it supports in order of preference - 2 THEN, in this list, the server chosen according to its own priority (his preference list). You confirm ?



c- And, the last question after finding on a test case:


1 - On the client side, here is the configuration of ciphers priority:

server_cipher_configuration.png


2 - On the server side, here is the configuration of ciphers priority (do not worry about the robustness of the suites here, it's just the test) :

DES-CBC3-SHA

ECDHE-RSA-AES128-GCM-SHA256

ECDHE-RSA-AES256-GCM-SHA384

DHE-RSA-AES128-GCM-SHA256

DHE-RSA-AES256-GCM-SHA384

ECDHE-RSA-AES128-SHA256

ECDHE-RSA-AES256-SHA384

ECDHE-RSA-AES128-SHA

ECDHE-RSA-AES256-SHA

DHE-RSA-AES128-SHA256

DHE-RSA-AES128-SHA

DHE-RSA-AES256-SHA256

DHE-RSA-AES256-SHA

ECDHE-RSA-DES-CBC3-SHA

EDH-RSA-DES-CBC3-SHA

AES128-GCM-SHA256

AES256-GCM-SHA384

AES128-SHA256

AES256-SHA256

AES128-SHA

AES256-SHA

!DSS

 

3 - the cipher selected after negotiation is : TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA  (6th on the client side priority, 9th on the server side priority). If you have an explication ?!



Thanxs !

 

Outcomes