TLS Cheatsheet

The purpose of this cheatsheet is to provide others with the relevant information which will help them to configure TLS on their servers to provide an adequate level of security.

TL;DR

If you want a quick and easy reference I would recommend the following.

Protocol

  • TLSv1.2

Key Exchange

  • ECHDE
  • ECDH

Symmetric Cipher

  • AES-256 (GCM mode)
  • AES-128 (GCM mode)
  • Camellia-256 (GCM mode)
  • Camellia-128 (GCM mode)

MAC

  • SHA256
  • SHA384
  • SHA512

Also worth keeping in mind that TLSv1.3 is just around the corner. I will update this list once it is supported by the common browsers and web servers.

Protocols

SSL is dead! Under not circumstances use SSL. You should only be using TLS In terms of which versions, you should ideally be using TLSv1.2 and above (TLSv1.3 is about to be out very soon).

SSL

SSL is no longer considered secure and should not be used. The most recent vulnerability in the protocol is POODLE and this was the final nail in the coffin for this protocol.

TLS

TLSv1.0 is vulnerable to the BEAST attack, although this has been largely mitigated by client side mitigations. Some implementations of TLSv1.0 as well as TLSv1.1 are also vulnerable to POODLE.

Key Exchanges

Stick with ECDH (Elliptic-curve Diffie–Hellman) and ECDHE (Elliptic-curve Diffie–Hellman Ephemeral).

RSA

If you can, avoid using RSA (Rivest–Shamir–Adleman) since it may be vulnerable to the ROBOT attck, and the fact that RSA does not allow for Perfect Forward Secrecy.

DH/DHE

Both the DH (Diffie–Hellman) and DHE (Diffie–Hellman Ephemeral) key exchange algorithms are vulnerable to the LogJam attack.

ECDH/ECHDE

You should stick with ECDH and ECDHE, since these both do not have any known vulnerabilities at this point in time. ECHDE enables perfect forward secrecy, so cipher suites with this key exchange should be at the top of your cipher list.

Symmetric Ciphers

DES and 3DES

Both are broken and should not be used. 3DES is vulnerable to the the Sweet32 attack.

RC4

RC4 has numerous vulnerabilities, most notably the Bar-mitzvah attack and the NOMORE attack.

AES (CBC)

The CBC mode of operation in AES is vulnerable to the Lucky 13 attack.

MAC

MD

All MD MAC algorithms are no longer secure and should no longer be used.

SHA

SHA(1) has been proven to be prone to hash collisions. There is a debate whether this has a significant impact on TLS connections. Personally I prefer to not support it and instead support SHA2 and above.