nginx recommended ssl_ciphers

Question

I am looking for some advice on setting the ciphers for nginx with SSL.

What would you recommend for a good compromise between security and compatiblity at the moment?

I have made some research but the solutions are sometimes very different and it gets confusing.

For example, this site https://cipherli.st/ recommends only:
```
AES256+EECDH:AES256+EDH
```
Does that mean that if those cannot be used, there will be an error? Isn't it a bit too restrictive then?

Mozilla recommends much bigger lists:

In those, AES128 seems to be preferred over AES256 since I understood that the order matters, correct?

Isn't it AES256 better if it is available? Why don't they put them first then?

ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK

ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

This post recommends a quite small list compare to Mozilla:

What's the difference between ECDH here Vs.ECDHE with Mozilla?

 ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;

Comodo recommends something different again:

ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4

Well, I am a bit lost. I found this post (Recommended ssl_ciphers for security, compatibility - Perfect Forward secrecy) but it does not help since there are also many versions and it's not easy to sort them out.

Any advice?

Thanks

score 2 · Answer 1 · edited Mar 17 '17 at 13:14

2

The Mozilla Server Side TLS guide you linked to is an excellent resource to follow for ciphersuite choices. Ciphersuite choices will change as new vulnerabilities in TLS emerge and Mozilla seems to do a good job in keeping up-to-date with recommendations.

AES-128 is generally preferred because people think bigger is better. Both AES-128 and AES-256 are secure against known attacks and there is a non-negligible performance cost to using AES-256 over AES-128.

ECDHE uses ephemeral keys while ECDH does not. Thus, ECDHE provides perfect forward secrecy while ECDH does not.

edited Mar 17 '17 at 13:14

Community

1

answered Dec 06 '14 at 01:54

Thanks for your help. You're right, the Mozilla recommendation seems like a good choice. The first site in my list uses `EECDH` and `EDH` which is even different than `ECDH` and `ECDHE`. Do you know the differences? – Michael Dec 07 '14 at 18:03
@YAmikep OpenSSL uses EDH in some places where the standards use DHE and similarly EECDH in a few places where the standards use ECDHE. OpenSSL also uses ADH and AECDH instead of standard DH_anon and ECDH_anon (but anon suites are almost always a bad idea anyway) and has some other variations from standard spelling as well. The ciphers(1ssl) manpage on an installed system shows the mapping, but a code change to fix(?) some of these is pending for the next release and the online manpage already reflects that change. PS: +atleast1 for Mozilla. – dave_thompson_085 Dec 08 '14 at 09:42
@Terry Chia - the Mozilla lists in the original question include DSS ciphers, which [ssllabs.com](www.ssllabs.com) shows to be almost entirely based on 1024 bit DSA keys in practice at this point in time; thus, I would add !DSS to those lists. The ordering also puts some SHA1 MAC cipher suites ahead of some SHA2 MAC cipher suites, which I believe to be suboptimal at this point in time. – Anti-weakpasswords Jan 03 '15 at 07:07

Jeroen · Answer 2 · 2014-12-08T06:13:16.623

2

I have the following in my nginx /etc/nginx/perfect-forward-secrecy.conf, which gives me an A grade on SSL labs. Your certificate should be SHA256 though.

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL
 !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !MEDIUM !RC4";
ssl_dhparam /my/path/to/dh4096.pem;

Since most up to date browsers support TLS, I personally have disabled SSLv3 due to the Poodle vulnerability and not willing to run with RC4 based ciphers.

edited Dec 08 '14 at 06:13

answered Dec 06 '14 at 07:35

Jeroen

5,783
2
18
26

Thanks for you response. How does it actually work to tell "not to use RC4"? I thought the `!` character would tell "not" but you have `RC4` without it. I notice you use spaces instead of `:` between each cypher, does it matter or we can use any separator? – Michael Dec 07 '14 at 18:07
I am not aware of the ":" seperator, I've always used spaces. Regarding RC4, it is strange since my output of sslscan is this: root@ns1:~# sslscan www.nerdbox.it | grep "Accepted" --> ECDHE-RSA-AES256-SHA, DHE-RSA-AES256-SHA, DHE-RSA-CAMELLIA256-SHA, ECDHE-RSA-AES128-SHA, DHE-RSA-AES128-SHA and DHE-RSA-CAMELLIA128-SHA – Jeroen Dec 08 '14 at 06:08
I just noticed that when copying my /etc/nginx/perfect-forward-secrecy.conf the third line ended while there was more. I've changed it in the original answer. My guess regarding RC4 is that I made a mistake in the config by first allowing RC4 and in the end telling not to use RC4 (see my edited answer) – Jeroen Dec 08 '14 at 06:15
@YAmikep within OpenSSL (which appears to be the only cases that website considers) you can use space comma colon or semicolon as separator. Whether all of these work in the application *calling* OpenSSL varies, and colon generally seems to work more or less "everywhere". – dave_thompson_085 Dec 08 '14 at 09:30
@Jeroen - IT Nerdbox, yYour list puts ECDHE non-AEAD, SHA-1 MAC ciphers ahead of DHE AEAD ciphers; is there either a security or a compatibility reason for that? In general at this time, I use only FS cipher suites, and put all AEAD suites first, then CBC SHA-2 suites, then, if required, everything else. – Anti-weakpasswords Jan 03 '15 at 07:04

nginx recommended ssl_ciphers

2 Answers2