A very useful SSL Ciphers Guide

vlee

• June 24, 2017 12:44

I stumbled across this website called luxsci.com/blog/level-ssl-tls-required-hipaa.html This website has very useful information I want to share here to those who maybe interested it. However, there are serious considerations around the use of "CBC" ciphers as documented in NIST 800-52, in this article, especially if they are used with the TLS v1.0 protocol. As a result, it is best to remove CBC ciphers from the supported list (this has little negative impact, aside from not supporting the native Windows XP encryption stack which, of the list above, only supports DES-CBC3-SHA. That said, Windows XP is long deprecated). So, your "good cipher" list is now:
ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA:AES256-SHA256:AES256-GCM-SHA384:AES256-SHA:AES128-SHA256:AES128-GCM-SHA256:AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:DHE-DSS-AES128-SHA:DHE-DSS-AES256-SHA:DHE-DSS-AES128-SHA256:DHE-DSS-AES256-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-DSS-AES256-GCM-SHA384:DH-DSS-AES128-SHA:DH-DSS-AES256-SHA:DH-DSS-AES128-SHA256:DH-DSS-AES256-SHA256:DH-DSS-AES128-GCM-SHA256:DH-DSS-AES256-GCM-SHA384:ECDH-ECDSA-AES128-SHA:ECDH-ECDSA-AES256-SHA:ECDH-ECDSA-AES128-SHA256:ECDH-ECDSA-AES256-SHA384:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-ECDSA-AES256-GCM-SHA384
So, in order to achieve HIPAA compliance, you must start by

]
• Turning OFF SSL v2 and SSL v3
• Enabling TLS 1.0 and higher
• Restrict the ciphers you will be using to ONLY those in the CBC-free above list.

Note: The SSL Cipher List above should be the cPanel Standard I hope this helps everyone including cPanel for future cPanel releases.

• 

  cPanelMichael

  • June 26, 2017 16:20

  Hello, Thanks for taking the time to share!

  0
• 

  PbG

  • October 03, 2017 15:37

  My concern with this suite are:
  Android 7.0 Server negotiated HTTP/2 with blacklisted suite RSA 2048 (SHA256) | TLS 1.2 > h2 | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | ECDH secp256r1 BingPreview Jan 2015 RSA 2048 (SHA256) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ECDH secp256r1 FS Chrome 49 / XP SP3 Server negotiated HTTP/2 with blacklisted suite RSA 2048 (SHA256) | TLS 1.2 > h2 | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | ECDH secp256r1 Chrome 57 / Win 7 R Server negotiated HTTP/2 with blacklisted suite RSA 2048 (SHA256) | TLS 1.2 > h2 | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | ECDH secp256r1 Firefox 31.3.0 ESR / Win 7 RSA 2048 (SHA256) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ECDH secp256r1 FS Firefox 47 / Win 7 R Server negotiated HTTP/2 with blacklisted suite RSA 2048 (SHA256) | TLS 1.2 > h2 | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | ECDH secp256r1 Firefox 49 / XP SP3 Server negotiated HTTP/2 with blacklisted suite RSA 2048 (SHA256) | TLS 1.2 > h2 | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | ECDH secp256r1 Firefox 53 / Win 7 R Server negotiated HTTP/2 with blacklisted suite RSA 2048 (SHA256) | TLS 1.2 > h2 | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | ECDH secp256r1 IE 11 / Win 10 R Server negotiated HTTP/2 with blacklisted suite RSA 2048 (SHA256) | TLS 1.2 > h2 | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | ECDH secp256r1 Edge 13 / Win 10 R Server negotiated HTTP/2 with blacklisted suite RSA 2048 (SHA256) | TLS 1.2 > h2 | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | ECDH secp256r1 Edge 13 / Win Phone 10 R Server negotiated HTTP/2 with blacklisted suite RSA 2048 (SHA256) | TLS 1.2 > h2 | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | ECDH secp256r1 Safari 9 / iOS 9 R Server negotiated HTTP/2 with blacklisted suite RSA 2048 (SHA256) | TLS 1.2 > h2 | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | ECDH secp256r1 Safari 9 / OS X 10.11 R Server negotiated HTTP/2 with blacklisted suite RSA 2048 (SHA256) | TLS 1.2 > h2 | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | ECDH secp256r1 Safari 10 / iOS 10 R Server negotiated HTTP/2 with blacklisted suite RSA 2048 (SHA256) | TLS 1.2 > h2 | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | ECDH secp256r1 Safari 10 / OS X 10.12 R Server negotiated HTTP/2 with blacklisted suite RSA 2048 (SHA256) | TLS 1.2 > h2 | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | ECDH secp256r1 Apple ATS 9 / iOS 9 R Server negotiated HTTP/2 with blacklisted suite RSA 2048 (SHA256) | TLS 1.2 > h2 | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 | ECDH secp256r1
  Using the previous suite this only occurred with the following but also allowed a weak 128 cipher as a last resort.
  Chrome 49 / XP SP3 Server negotiated HTTP/2 with blacklisted suite RSA 2048 (SHA256) | TLS 1.2 > h2 | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | ECDH secp256r1 Chrome 57 / Win 7 R RSA 2048 (SHA256) TLS 1.2 > h2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDH secp256r1 FS Firefox 31.3.0 ESR / Win 7 RSA 2048 (SHA256) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ECDH secp256r1 FS Firefox 47 / Win 7 R Server negotiated HTTP/2 with blacklisted suite RSA 2048 (SHA256) | TLS 1.2 > h2 | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | ECDH secp256r1
  Thank you for sharing both BTW

  I stumbled across this website called luxsci.com/blog/level-ssl-tls-required-hipaa.html This website has very useful information I want to share here to those who maybe interested it. However, there are serious considerations around the use of "CBC" ciphers as documented in NIST 800-52, in this article, especially if they are used with the TLS v1.0 protocol. As a result, it is best to remove CBC ciphers from the supported list (this has little negative impact, aside from not supporting the native Windows XP encryption stack which, of the list above, only supports DES-CBC3-SHA. That said, Windows XP is long deprecated). So, your "good cipher" list is now:
  ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA:AES256-SHA256:AES256-GCM-SHA384:AES256-SHA:AES128-SHA256:AES128-GCM-SHA256:AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:DHE-DSS-AES128-SHA:DHE-DSS-AES256-SHA:DHE-DSS-AES128-SHA256:DHE-DSS-AES256-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-DSS-AES256-GCM-SHA384:DH-DSS-AES128-SHA:DH-DSS-AES256-SHA:DH-DSS-AES128-SHA256:DH-DSS-AES256-SHA256:DH-DSS-AES128-GCM-SHA256:DH-DSS-AES256-GCM-SHA384:ECDH-ECDSA-AES128-SHA:ECDH-ECDSA-AES256-SHA:ECDH-ECDSA-AES128-SHA256:ECDH-ECDSA-AES256-SHA384:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-ECDSA-AES256-GCM-SHA384
  So, in order to achieve HIPAA compliance, you must start by

  ]
  • Turning OFF SSL v2 and SSL v3
  • Enabling TLS 1.0 and higher
  • Restrict the ciphers you will be using to ONLY those in the CBC-free above list.

  Note: The SSL Cipher List above should be the cPanel Standard I hope this helps everyone including cPanel for future cPanel releases.

  
  

  0

Please sign in to leave a comment.