Recommended TLS versions

  • Required: TLS 1.2
  • Recommended: TLS 1.3
  • Configurations:
    • Configure the TLS 1.2 Intermediate server ciphers as specified in [1,2,3]
    • Disable by default cryptographically insecure ciphers identified in [1,3]
  • Prohibited: Any version of SSL, TLS 1.0 [5], TLS 1.1 [5]

TLS Protocol profiles recommendations

The Internet Assigned Numbers Authority (IANA), Mozilla Operations Security and Enterprise Information Security, and the Open Web Application Security Project (OWASP) maintain web pages [1,2,3] that serve as a reference guides for navigating the TLS and DTLS landscape. IANA provides the definitive guide for TLS cipher suite recommendations, adding and formally deprecating cipher suites, typically backed by referenced documentation to implement or providing justification for deprecation. Mozilla and OWASP divides the TLS ciphers into three classifications: Modern, Intermediate and Old.

  • Modern: Modern clients that support TLS 1.3, with no need for backwards compatibility
  • Intermediate: Recommended configuration for a general-purpose server
  • Old: Services accessed by very old clients or libraries, such as Internet Explorer 8 (Windows XP), Java 6, or OpenSSL 0.9.8

Intermediate Ciphers for TLS 1.2

This is the recommended set of ciphers, protocol, TLS curves, supported certificate types, Diffie-Hellman parameter size, strict transport security, certificate life spans, and cipher preference. The Intermediate ciphers and configuration parameters are highly secure and compatible with nearly every client released in the last five (or more) years. Per RFC7525, Clients SHOULD include TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 as the first proposal to any server, unless they have prior knowledge that the server cannot respond to a TLS 1.2 client_hello message.

  • Cipher suites:
    • ECDHE_ECDSA_AES128_GCM_SHA256
    • ECDHE_RSA_AES128_GCM_SHA256
    • ECDHE_ECDSA_AES256_GCM_SHA384
    • ECDHE_RSA_AES256_GCM_SHA384
    • ECDHE_ECDSA_CHACHA20_POLY1305
    • ECDHE_RSA_CHACHA20_POLY1305
    • DHE_RSA_AES128_GCM_SHA256
    • DHE_RSA_AES256_GCM_SHA384
  • TLS curves: X25519, prime256v1, secp384r1
  • Certificate type: ECDSA (P-256) (recommended), or RSA (2048 bits)
  • DH parameter size: 2048 (ffdhe2048, RFC 7919)
  • HTTP Strict Transport Security (HSTS): max-age=63072000 (two years)
  • Maximum certificate lifespan: 90 days (recommended) to 2 years
  • Cipher preference: client chooses

Intermediate Ciphers for TLS 1.3

The following ciphers and are considered Intermediate for TLS 1.3.

  • Cipher suites (TLS 1.3):
    • TLS_AES_128_GCM_SHA256
    • TLS_AES_256_GCM_SHA384
    • TLS_CHACHA20_POLY1305_SHA256
  • Protocols: TLS 1.3
  • TLS curves: X25519, prime256v1, secp384r1
  • Certificate type: ECDSA (P-256) (recommended), or RSA (2048 bits)
  • DH parameter size: 2048 (ffdhe2048, RFC 7919)
  • HTTP Strict Transport Security (HSTS): max-age=63072000 (two years)
  • Maximum certificate lifespan: 90 days (recommended) to 2 years
  • Cipher preference: client chooses

Modern Ciphers for TLS 1.3

For services with clients that support TLS 1.3 and do not need backward compatibility, the Modern configuration provides an extremely high level of security.

  • Cipher suites (TLS 1.3):
    • TLS_AES_128_GCM_SHA256
    • TLS_AES_256_GCM_SHA384
    • TLS_CHACHA20_POLY1305_SHA256
  • Protocols: TLS 1.3
  • Certificate type: ECDSA (P-256)
  • TLS curves: X25519, prime256v1, secp384r1
  • HSTS: max-age=63072000 (two years)
  • Maximum certificate lifespan: 90 days
  • Cipher preference: client chooses

References

[1] Transport Layer Security (TLS) Parameters. https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml. Created 23 August, 2005. Last updated 7 April 2020.

[2] Security/Server Side TLS, Mozilla Wiki. https://wiki.mozilla.org/Security/Server_Side_TLS#Cipher_names_correspondence_table. 2 January 2020

[3] TLS Cipher String Cheat Sheet, OWASP Cheat Sheet Series. https://cheatsheetseries.owasp.org/cheatsheets/TLS_Cipher_String_Cheat_Sheet.html. 2020

[4] Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS). Request for Comments: 7525. Internet Engineering Task Force (IETF). https://tools.ietf.org/html/rfc7525. May 2015.

[5] Deprecating TLSv1.0 and TLSv1.1. draft-ietf-tls-oldversions-deprecate-06. Internet Engineering Task Force (IETF). https://tools.ietf.org/html/draft-ietf-tls-oldversions-deprecate-06. 6 January 2020.

[6] Technical specification (TS) 33.210 3G security; Network Domain Security (NDS); IP network layer security. Release 5. https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=2279. 27 March 2020.

  • No labels