TLS Cheatsheet
The purpose of this cheatsheet is to provide others with the relevant information which will help them to configure TLS on their servers to provide an adequate level of security.
TL;DR
If you want a quick and easy reference I would recommend the following.
Protocol
- TLSv1.2
Key Exchange
- ECHDE
- ECDH
Symmetric Cipher
- AES-256 (GCM mode)
- AES-128 (GCM mode)
- Camellia-256 (GCM mode)
- Camellia-128 (GCM mode)
MAC
- SHA256
- SHA384
- SHA512
Also worth keeping in mind that TLSv1.3 is just around the corner. I will update this list once it is supported by the common browsers and web servers.
Protocols
SSL is dead! Under not circumstances use SSL. You should only be using TLS In terms of which versions, you should ideally be using TLSv1.2 and above (TLSv1.3 is about to be out very soon).
SSL
SSL is no longer considered secure and should not be used. The most recent vulnerability in the protocol is POODLE and this was the final nail in the coffin for this protocol.
TLS
TLSv1.0 is vulnerable to the BEAST attack, although this has been largely mitigated by client side mitigations. Some implementations of TLSv1.0 as well as TLSv1.1 are also vulnerable to POODLE.
Key Exchanges
Stick with ECDH (Elliptic-curve Diffie–Hellman) and ECDHE (Elliptic-curve Diffie–Hellman Ephemeral).
RSA
If you can, avoid using RSA (Rivest–Shamir–Adleman) since it may be vulnerable to the ROBOT attck, and the fact that RSA does not allow for Perfect Forward Secrecy.
DH/DHE
Both the DH (Diffie–Hellman) and DHE (Diffie–Hellman Ephemeral) key exchange algorithms are vulnerable to the LogJam attack.
ECDH/ECHDE
You should stick with ECDH and ECDHE, since these both do not have any known vulnerabilities at this point in time. ECHDE enables perfect forward secrecy, so cipher suites with this key exchange should be at the top of your cipher list.
Symmetric Ciphers
DES and 3DES
Both are broken and should not be used. 3DES is vulnerable to the the Sweet32 attack.
RC4
RC4 has numerous vulnerabilities, most notably the Bar-mitzvah attack and the NOMORE attack.
AES (CBC)
The CBC mode of operation in AES is vulnerable to the Lucky 13 attack.
MAC
MD
All MD MAC algorithms are no longer secure and should no longer be used.
SHA
SHA(1) has been proven to be prone to hash collisions. There is a debate whether this has a significant impact on TLS connections. Personally I prefer to not support it and instead support SHA2 and above.