The purpose of this cheatsheet is to provide others with the relevant information which will help them to configure TLS on their servers to provide an adequate level of security.
If you want a quick and easy reference I would recommend the following.
- AES-256 (GCM mode)
- AES-128 (GCM mode)
- Camellia-256 (GCM mode)
- Camellia-128 (GCM mode)
Also worth keeping in mind that TLSv1.3 is just around the corner. I will update this list once it is supported by the common browsers and web servers.
SSL is dead! Under not circumstances use SSL. You should only be using TLS In terms of which versions, you should ideally be using TLSv1.2 and above (TLSv1.3 is about to be out very soon).
SSL is no longer considered secure and should not be used. The most recent vulnerability in the protocol is POODLE and this was the final nail in the coffin for this protocol.
TLSv1.0 is vulnerable to the BEAST attack, although this has been largely mitigated by client side mitigations. Some implementations of TLSv1.0 as well as TLSv1.1 are also vulnerable to POODLE.
Stick with ECDH (Elliptic-curve Diffie–Hellman) and ECDHE (Elliptic-curve Diffie–Hellman Ephemeral).
If you can, avoid using RSA (Rivest–Shamir–Adleman) since it may be vulnerable to the ROBOT attck, and the fact that RSA does not allow for Perfect Forward Secrecy.
Both the DH (Diffie–Hellman) and DHE (Diffie–Hellman Ephemeral) key exchange algorithms are vulnerable to the LogJam attack.
You should stick with ECDH and ECDHE, since these both do not have any known vulnerabilities at this point in time. ECHDE enables perfect forward secrecy, so cipher suites with this key exchange should be at the top of your cipher list.
DES and 3DES
Both are broken and should not be used. 3DES is vulnerable to the the Sweet32 attack.
RC4 has numerous vulnerabilities, most notably the Bar-mitzvah attack and the NOMORE attack.
The CBC mode of operation in AES is vulnerable to the Lucky 13 attack.
All MD MAC algorithms are no longer secure and should no longer be used.
SHA(1) has been proven to be prone to hash collisions. There is a debate whether this has a significant impact on TLS connections. Personally I prefer to not support it and instead support SHA2 and above.