Transport Layer Security (TLS) and its predecessor, Secure Socket Layer (SSL), are widely used protocols. They were designed to secure the transfer of data between the client and the server through authentication, encryption, and integrity protection.
Note: At the time of writing of this article, TLS 1.3 was not yet available. It is available now, and it is recommended for use instead of TLS 1.2. TLS 1.3 does not require you to manually specify cipher suites in configuration.
TLS/SSL technology is commonly used in websites and web applications together with the HTTP protocol. It is also used by several other services and protocols, for example, email (SMTP, POP, and IMAP protocols), FTP, chat (XMPP protocol), virtual private networks (TLS/SSL VPNs), and network appliances.
To secure the transfer of data, TLS/SSL uses one or more cipher suites. A cipher suite is a combination of authentication, encryption, and message authentication code (MAC) algorithms. They are used during the negotiation of security settings for a TLS/SSL connection as well as for the transfer of data.
The following are examples of what algorithms a cipher suite may use.
| Function | Algorithm |
|---|---|
| Key Exchange | RSA, Diffie-Hellman, ECDH, SRP, PSK |
| Authentication | RSA, DSA, ECDSA |
| Bulk Ciphers | RC4, 3DES, AES |
| Message Authentication | HMAC-SHA256, HMAC-SHA1, HMAC-MD5 |
TLS is now a requirement in several regulatory standards. Major browsers mark sites as not secure in absence of TLS. It may therefore also be considered a requirement for serving websites and web applications. However, getting a correct TLS implementation may be difficult. Bad TLS configurations may provide a false sense of security and make websites and web applications vulnerable to attacks.
Many common TLS misconfigurations are caused by choosing the wrong cipher suites. Old or outdated cipher suites are often vulnerable to attacks. If you use them, the attacker may intercept or modify data in transit. Below is a list of recommendations for a secure SSL/TLS implementation.
Disabling SSL 2.0 and SSL 3.0
SSL 2.0 was the first public version of SSL. It was released in 1995. This version of SSL contained several security issues. In 1996, the protocol was completely redesigned and SSL 3.0 was released.
Because of the security issues, the SSL 2.0 protocol is unsafe and you should completely disable it. Due to the POODLE (Padding Oracle On Downgraded Legacy Encryption) vulnerability, SSL 3.0 is also unsafe and you should also disable it. If it is enabled, an attacker may retrieve plain text content of secure connections. Furthermore, you cannot use elliptic-curve cryptography (see below) with SSL 3.0.
Internet Explorer 6 is the only browser that still uses SSL 3.0. Therefore, unless you still need to support the legacy Internet Explorer 6 browser, you should disable SSL 3.0 as outlined below.
Disabling TLS 1.0 and 1.1
Unless you need to support legacy browsers, you should also disable TLS 1.0 and TLS 1.1. The PCI DSS (Payment Card Industry Data Security Standard) specifies that TLS 1.0 may no longer be used as of June 30, 2018. It also strongly suggests that you disable TLS 1.1. These protocols may be affected by vulnerabilities such as FREAK, POODLE, BEAST, and CRIME. If you must still support TLS 1.0, disable TLS 1.0 compression to avoid CRIME attacks.
You should also disable weak ciphers such as DES and RC4. DES can be broken in a few hours and RC4 has been found to be weaker than previously thought. In the past, RC4 was advised as a way to mitigate BEAST attacks. However, due to the latest attacks on RC4, Microsoft has issued an advisory against it. The PCI DSS also prohibits the use of the RC4 bulk cipher.
If you disable TLS 1.0 and TLS 1.1, the following user agents and their older versions will likely be affected (specific user agent versions on different operating systems may vary).
- Android 4.3
- Chrome 29
- Firefox 26
- Internet Explorer 10
- Java 6u45, 7u25
- OpenSSL 0.9.8y
- Safari 6.0
How to Configure TLS
Depending on your business use case (e.g. the need to support legacy browsers and regulatory requirements) you may need to use slightly different cipher suite configurations. You may use the Mozilla SSL Configuration Generator to obtain an optimal TLS configuration using different browser profiles (modern, intermediate, or old).
The following is a breakdown of the modern profile (oldest compatible clients: Firefox 27, Chrome 30, Internet Explorer 11 on Windows 7, Edge, Opera 17, Safari 9, Android 5.0, and Java 8). The syntax for enabling/disabling TLS protocols and cipher suites will vary slightly depending on the web server.
Nginx
# Enable TLSv1.2, disable SSLv3.0, TLSv1.0 and TLSv1.1ssl_protocols TLSv1.2;# Enable modern TLS cipher suitesssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';# The order of cipher suites mattersssl_prefer_server_ciphers on;Apache HTTP Server
# Enable TLSv1.2, disable SSLv3.0, TLSv1.0 and TLSv1.1SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1# Enable modern TLS cipher suitesSSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384# The order of cipher suites mattersSSLHonorCipherOrder on# Disable TLS compressionSSLCompression off# Necessary for Perfect Forward Secrecy (PFS)SSLSessionTickets offPreferred Cipher Suite Order
The table below breaks down the cipher suite string above into what is preferred in order (best key exchange algorithm/strongest encryption first).
Note – More Information on ciphers supported by OpenSSL is available here.
| Order | Key Exchange Algorithm | Authentication Algorithm | Bulk Encryption Algorithm | Mac Algorithm |
|---|---|---|---|---|
| #1 | Elliptic Curve Diffie–Hellman (ECDH) | Elliptic Curve Digital Signature Algorithm (ECDSA) | AES 256 in Galois Counter Mode (AES256-GCM) | SHA384 |
| #2 | Elliptic Curve Diffie–Hellman (ECDH) | RSA | AES 256 in Galois Counter Mode (AES256-GCM) | SHA384 |
| #3 | Elliptic curve Diffie–Hellman (ECDH) | Elliptic Curve Digital Signature Algorithm (ECDSA) | ChaCha20 (CHACHA20) | POLY1305 |
| #4 | Elliptic curve Diffie–Hellman (ECDH) | RSA | ChaCha20 (CHACHA20) | POLY1305 |
| #5 | Elliptic Curve Diffie–Hellman (ECDH) | Elliptic Curve Digital Signature Algorithm (ECDSA) | AES 128 in Galois Counter Mode (AES128-GCM) | SHA256 |
| #6 | Elliptic curve Diffie–Hellman (ECDH) | RSA | AES 128 in Galois Counter Mode (AES128-GCM) | SHA256 |
This string provides the strongest encryption in modern browsers and TLS/SSL clients (AES in Galois/Counter Mode is only supported in TLS 1.2). Furthermore, this string also provides perfect forward secrecy (PFS) if both the server and the TLS/SSL client support it (on Apache HTTP Server you must set SSLSessionTickets to off).
How to Verify the Configuration
An easy way to test if your website or web application uses a vulnerable SSL/TLS configuration is to run an automated scan using the online Acunetix vulnerability scanner, which includes a network security scanner. At the same time, you can also test for web vulnerabilities. Take a demo and find out more about running scans against your website or web application.
Frequently asked questions
Default SSL/TLS configurations in most servers are not secure enough. By default, most servers still support outdated and vulnerable protocol versions. This could lead to attacks against such servers. Therefore, you need to manually configure your every server, not rely on defaults.
Learn more about TLS and SSL.
To harden your SSL/TLS configuration, you must do two things. First of all, you must turn off support for the old and vulnerable SSL protocol completely as well as for old and vulnerable versions of the newer TLS protocol. Second of all, you must turn off insecure cipher suites and establish a priority of cipher suites based on their security.
Read about potential attacks against SSL/TLS.
You should not support the SSL protocol at all. You should also not support TLS 1.0 or TLS 1.1. Therefore, your configuration should only support TLS 1.2 and up. Some server versions may not support TLS 1.3 yet, therefore TLS 1.2 must be the cornerstone of your configuration. This protocol version is supported by all current browser versions and quite a few outdated versions, therefore, you should not run across compatibility problems.
Find out more about the history of SSL and TLS.
A cipher suite consists of a key exchange algorithm, an authentication algorithm, a bulk encryption algorithm, and a message authentication algorithm. Currently, the most secure and most recommended combination of these four is: Elliptic Curve Diffie–Hellman (ECDH), Elliptic Curve Digital Signature Algorithm (ECDSA), AES 256 in Galois Counter Mode (AES256-GCM), and SHA384.
Get the latest content on web security
in your inbox each week.
THE AUTHOR
Ian Muscat
Ian Muscat used to be a technical resource and speaker for Acunetix. More recently, his work centers around cloud security and phishing simulation.
