Security/Server Side TLS - MozillaWiki

Security/Server Side TLS - MozillaWiki
Security/Server Side TLS
From MozillaWiki
Security
Jump to navigation
Jump to search
Contents
Recommended configurations
1.1
Modern
compatibility
1.2
Intermediate
compatibility (recommended)
JSON version of the recommendations
Version History
The goal of this document is to help operational teams with the configuration of TLS. All Mozilla websites and deployments should follow the recommendations below.
Mozilla maintains this document as a reference guide for navigating the TLS landscape, as well as a
configuration generator
to assist system administrators. Changes are reviewed and merged by the Mozilla Operations Security and Enterprise Information Security teams.
Updates to this page should be submitted to the
server-side-tls
repository on GitHub. Issues related to the
configuration generator
are maintained in their own
GitHub repository
In the interests of usability and maintainability, these guidelines have been considerably simplified from the
previous guidelines
Recommended configurations
The
Mozilla SSL Configuration Generator
Mozilla maintains two recommended configurations for servers using TLS. Pick the correct configuration depending on your audience:
Modern
Modern clients that support TLS 1.3, with no need for backwards compatibility
Intermediate
Recommended configuration for a general-purpose server
Configuration
Firefox
Android
Chrome
Edge
Internet Explorer
Java
OpenSSL
Opera
Safari
Modern
63
10.0
70
75
--
11
1.1.1
57
12.1
Intermediate
31.3.0
4.4.2
49
15 (Win10)
11 (Win10)
8u161
1.0.1l
20
OpenSSL will ignore cipher suites it doesn't understand, so always use the full set of cipher suites below in their recommended order.
Different libraries support different cipher suites and refer to them by different names. Mozilla maintains a list of
all known cipher suites
and their corresponding names.
Modern
compatibility
For services with clients that support TLS 1.3 and don't need backward compatibility, the
Modern
configuration provides an extremely high level of security.
Cipher suites (TLS 1.3):
TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
Cipher suites (TLS 1.2): (none)
Protocols:
TLS 1.3
Certificate type:
ECDSA (P-256)
TLS curves:
X25519MLKEM768, X25519, prime256v1, secp384r1
HSTS:
max-age=63072000
(two years)
Certificate lifespan:
90 days
Cipher preference:
client chooses
0x13,0x01 - TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD
0x13,0x02 - TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD
0x13,0x03 - TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD
Rationale:
All cipher suites are
forward secret
and
authenticated
The cipher suites are all strong and so we allow the client to choose, as they will know best if they have support for hardware-accelerated AES
We recommend ECDSA certificates using P-256, as P-384 provides negligible improvements to security and Ed25519 is not yet widely supported
Intermediate
compatibility (recommended)
For services that don't need compatibility with legacy clients such as Windows XP or old versions of OpenSSL. This is the recommended configuration for the vast majority of services, as it is highly secure and compatible with nearly every client released in the last five (or more) years.
Cipher suites (TLS 1.3):
TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
Cipher suites (TLS 1.2):
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305
Protocols:
TLS 1.2, TLS 1.3
TLS curves:
X25519MLKEM768, X25519, prime256v1, secp384r1
Certificate type:
ECDSA (P-256)
(recommended), or
RSA (2048 bits)
DH parameter size:
2048
(ffdhe2048,
RFC 7919
HSTS:
max-age=63072000
(two years)
Certificate lifespan:
90 days
(recommended) to
366 days
Cipher preference:
client chooses
0x13,0x01 - TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD
0x13,0x02 - TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD
0x13,0x03 - TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD
0xC0,0x2B - ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD
0xC0,0x2F - ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD
0xC0,0x2C - ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD
0xC0,0x30 - ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
0xCC,0xA9 - ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
0xCC,0xA8 - ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
Rationale:
All cipher suites are
forward secret
and
authenticated
TLS 1.2 is the minimum supported protocol, as recommended by
RFC 7525
, PCI DSS, and others
ECDSA certificates are recommended over RSA certificates, as they allow the use of ECDHE with Windows 7 clients using Internet Explorer 11, as well as allow connections from IE11 on Windows Server 2008 R2
The cipher suites are all strong and so we allow the client to choose, as they will know best if they have support for hardware-accelerated AES
Windows XP (including all embedded versions) are no longer supported by Microsoft, eliminating the need for many older protocols and ciphers
DHE-RSA-* ciphers DHE-RSA-AES128-GCM-SHA256, DHE-RSA-AES256-GCM-SHA384, and DHE-RSA-CHACHA20-POLY1305 are excluded due to being more computationally expensive than ECDHE, and being more vulnerable to resource exhaustion attacks such as the D(HE)at attack (CVE-2002-20001). DHE-RSA-* ciphers were previously included to support limitations of IE11 on Windows 7.
Administrators needing to provide access to
IE 11 on Windows Server 2008 R2
and who are unable to switch to or add ECDSA certificates can add
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
While the goal is to support a broad range of clients, we reasonably disable a number of ciphers that have little support (such as ARIA, Camellia, 3DES, and SEED)
90 days is the recommended maximum certificate lifespan, to encourage certificate issuance automation
JSON version of the recommendations
Mozilla also maintains
these recommendations
in JSON format, for automated system configuration. This location is versioned and permanent, and can be referenced in scripts and tools. The file will not change, to avoid breaking tools when we update the recommendations.
We also maintain a
rolling version
of these recommendations, with the caveat that they may change
without warning
and
without providing backwards compatibility
. As it may break things if you use it to automatically configure your servers without review, we recommend you use the
version-specific file
instead.
Version History
Version
Editor
Changes
6.0
Glenn Strauss
Remove Old configuration
5.8
Glenn Strauss
Remove kDHE ciphers from Intermediate and Old
Change Old dhParamSize from 1024 to 2048
Change Old to use ffdhe2048 instead of locally generated dhparams
Prepend X25519MLKEM768 PQC hybrid KEM to recommended groups
5.7
Gene Wood
Add DHE-RSA-CHACHA20-POLY1305 cipher to the Intermediate configuration
5.6
April King
Fixed incorrect cipher ordering for the Intermediate configuration
5.5
April King
Update certificate lifespan to reflect browser policy changes
5.3
April King
Bump links to point to 5.3 guidelines, since it fixes a small JSON error
5.0.1
April King
Add note about IE 11 on Windows Server 2008 R2
5.0
April King
Server Side TLS 5.0
4.2
April King
Updated cipher suite table
4.1
Julien Vehent
Clarify Logjam notes, Clarify risk of TLS Tickets
Julien Vehent
Recommend ECDSA in modern level, remove DSS ciphers, publish configurations as JSON
3.8
Julien Vehent
redo cipher names chart (April King), move version chart (April King), update Intermediate cipher suite (ulfr)
3.7
Julien Vehent
cleanup version table (April King), add F5 conf samples (warburtron), add notes about DHE (rgacogne)
3.6
Julien Vehent
bump intermediate DHE to 2048, add note about java compatibility
3.5
alm
comment on weakdh vulnerability
3.4
Julien Vehent
added note about session resumption, HSTS, and HPKP
3.3
Julien Vehent
fix SHA256 prio, add POODLE details, update various templates
3.2
Julien Vehent
Added intermediate compatibility mode, renamed other modes
3.1
Julien Vehent
Added non-backward compatible ciphersuite
Julien Vehent
Remove RC4 for 3DES, fix ordering in openssl 0.9.8 (
1024430
), various minor updates
2.5.1
Julien Vehent
Revisit ELB capabilities
2.5
Julien Vehent
Update ZLB information for OCSP Stapling and ciphersuite
2.4
Julien Vehent
Moved a couple of aes128 above aes256 in the ciphersuite
2.3
Julien Vehent
Precisions on IE 7/8 AES support (thanks to Dobin Rutishauser)
2.2
Julien Vehent
Added IANA/OpenSSL/GnuTLS correspondence table and conversion tool
2.1
Julien Vehent
RC4 vs 3DES discussion. r=joes r=tinfoil
2.0
Julien Vehent, kang
Public release.
1.5
Julien Vehent, kang
added details for PFS DHE handshake, added nginx configuration details; added Apache recommended conf
1.4
Julien Vehent
revised ciphersuite. Prefer AES before RC4. Prefer 128 before 256. Prefer DHE before non-DHE.
1.3
Julien Vehent
added netscaler example conf
1.2
Julien Vehent
ciphersuite update, bump DHE-AESGCM above ECDH-RC4
1.1
Julien Vehent, kang
integrated review comments from Infra; SPDY information
1.0
Julien Vehent
creation
Document Status:
READY
Retrieved from "
Navigation menu