Use: TLS v1.1 and 1.2

Avoid: TLSv1.0 or lower or SSLv3 or lower

Note: TLSv1.0 is susceptible to the BEAST attack and SSLv3.0 is susceptible to the POODLE attack.

TLS Recommended Ciphers:

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 as defined in RFC 5289

TLS_ECDHE_ECDSA_WITH_AES_192_CBC_SHA256 as defined in RFC 5289

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 as defined in RFC 5289

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 as defined in RFC 5289

TLS_ECDHE_ECDSA_WITH_AES_192_GCM_SHA256 as defined in RFC 5289

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 as defined in RFC 5289

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 as defined in RFC 5289

TLS_ECDHE_RSA_WITH_AES_192_GCM_SHA256 as defined in RFC 5289

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 as defined in RFC 5289

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 as defined in RFC 5289

TLS_ECDHE_RSA_WITH_AES_192_CBC_SHA256 as defined in RFC 5289

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 as defined in RFC 5289

Avoid the following ciphers:

Note: The above DHE ciphers are safe to use only if dh group 14 (2048 bit) key sizes are being used for key exchange.  If a lower dh group size is used with DHE ciphers then your server will be susceptible to the logjam attack.  This setting may have to be set in the openssl code.  There is not a configurable option external to the openssl module.  Apache allows for configuring the dh parameters via their management interface.

The following ciphers should be disabled based on the ROBOT attack (see below). The reason is they use RSA for both authentication and key exchange so they use a static public key in a X.509 certificate for key exchange; thus, they do not provide perfect forward secrecy:


The problem with this is that using RSA for key exchange does not provide perfect forward secrecy since you are not using ephemeral “one-time use” keys.  Update  Not only does using RSA for both authentication and encryption NOT provide perfect forward secrecy, but using it for encryption has been broken.  “The use of a ROBOT attack fully breaks the confidentiality of SSL/TLS when used with RSA encryption. It enables an attacker to perform RSA decryption and signing operations with the private key of an SSL/TLS server. As a result, an attacker could record SSL/TLS traffic and decrypt it at a later time.” -Bruce Morton blog.  See the ROBOT attack site full information: ROBOT attack.

Several servers that were vulnerable to ROBOT have provided patches. The researchers have stated the patch list will be kept up to date as more patches are released.

In addition to patching servers, the researchers state that RSA encryption should be disabled from SSL/TLS cipher suites. This means all cipher suites that start with TLS_RSA should be disabled, for example:


Not only is RSA encryption vulnerable to ROBOT, it does not support perfect forward secrecy. Most SSL/TLS connections use the Elliptic Curve Diffie Hellman key exchange (ECDHE) and need RSA only for signatures, for instance:


* Setup DH parameters to enable ephemeral DH 2048 cipher suites

  • Use X.509v3 certificates for mutual authentication for server to server authentication.
  • Use: secp256r1, secp384r1, secp521r1
  • Server and Client must reject any connections offering SSL 1.0, SSL 2.0, SSL 3.0, TLS 1.0
  • For most websites, using RSA keys stronger than 2048 bits and ECDSA keys stronger than 256 bits is a waste of CPU resources and might impair user experience. Similarly, increasing the strength of the ephemeral key exchange beyond 256 bits for ECDHE has little benefit.
  • Avoid: OpenSSL v1.0.0 and below EOL, v1.0.1 EOL 12/31/16

More info on why not to use DH and ECDH curves:

The DH and ECDH curves should not be used because they do not provide perfect forward secrecy. The reason is that only Diffie Hellman in ephemeral mode uses “one time use” private keys.  DH and ECDH use values based on the stored certificates.  Chris McNab’s Network Security Assessment book warns “When using DH in a static mode, dh_g, dh_p, dh_Ys, and rand_s are fixed and do not provide forward secrecy.”  Here is another good write-up:

Do not use DSA because “A signature scheme based on the digital signature algorithm (DSA, designedby NSA) is used for server authentication, the knowledge of just one signature nonce enables the attacker to compute the server’s secret identity key and thus to impersonate the server.” – Dual EC: A Standardized Back Door Daniel J. Bernstein, Tanja Lange, and Ruben Niederhagen