6

I know you can set the protocol/cipher via your web server:

Nginx:

ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers         HIGH:!aNULL:!MD5;

Apache:

SSLProtocol all -SSLv2
SSLCipherSuite HIGH:!aNULL:!MD5

But my question is can a SSL Certificate be created to only work with certain protocols?

And can a certificate be created to only work with certain ciphers?

Arian Faurtosh
  • 285
  • 1
  • 9
  • 3
    I very much doubt it, but there are so many nuances in those standards that if I post an answer that says "no, that's not possible" then *someone* is *certain* to be able to point to something in the spec that says I'm wrong... It's like how it never rains if you bring an umbrella. – user Jul 13 '16 at 17:51
  • Your Apache config should `-SSLv3`. In addition to the answer (and my comment) below, nothing in the cert can control which SSL/TLS _versions_; however, an X.509 cert can and usually does use the ExtendedKeyUsage extension (EKU) to limit to SSL/TLS and not email (S/MIME) or vice versa, which is a 'certain' protocol but likely not the 'certain' protocol you wanted. – dave_thompson_085 Jul 14 '16 at 05:04
  • The question about the cipher is a duplicate of [Can we restrict cipher suites using server certificate?](http://security.stackexchange.com/questions/127542/can-we-restrict-cipher-suites-using-server-certificate/). The question about the protocol not. – Steffen Ullrich Jul 14 '16 at 06:14

2 Answers2

8

.. to only work with certain protocols? .. to only work with certain ciphers?

Certificates are mostly protocol independent.

But there is a slight correlation between certificate and cipher: one part of the cipher specifies the authentication algorithm and the possible algorithms depend on the kind of certificate. This means that you cannot use a RSA certificate with a *_ECDSA_* cipher and no ECDSA certificate with RSA key exchange. There are also ECDH (not ECDHE) and DH (not DHE) ciphers which require specific information in the certificate. But the choice of symmetric encryption (i.e. AES, RC4...) and the HMAC is independent from the certificate.

Which means the type of certificate limits which ciphers can be used but you cannot restrict the possible ciphers or protocols directly with some information in the certificate.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • Symmetric is not ENTIRELY independent, see http://security.stackexchange.com/questions/127542/can-we-restrict-cipher-suites-using-server-certificate/#127751 – dave_thompson_085 Jul 14 '16 at 04:56
  • @dave_thompson_085: agreed, but this is mostly because ciphers don't contain arbitrary combinations of algorithms. – Steffen Ullrich Jul 14 '16 at 06:11
1

It would help if you think of the certificate based authentication or identify verification, separate from the integrity exchange, where the SSL ciphers really come in.

The certificate is only good for verifying the server "X" is really "X" and not "x".

The ciphers are, instead, used to provide a mechanism where you establish the symmetric key for data exchange. As you would guess, this phase would happen once the server authencity has been established.

sandyp
  • 1,146
  • 1
  • 9
  • 17