Use: TLS v1.1 and 1.2

Avoid: TLSv1.0 or lower or SSLv3 or lower

TLS Recommended Ciphers:

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 as defined in RFC 5289

TLS_ECDHE_ECDSA_WITH_AES_192_CBC_SHA256 as defined in RFC 5289

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 as defined in RFC 5289

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 as defined in RFC 5289

TLS_ECDHE_ECDSA_WITH_AES_192_GCM_SHA256 as defined in RFC 5289

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 as defined in RFC 5289

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 as defined in RFC 5289

TLS_ECDHE_RSA_WITH_AES_192_GCM_SHA256 as defined in RFC 5289

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 as defined in RFC 5289

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 as defined in RFC 5289

TLS_ECDHE_RSA_WITH_AES_192_CBC_SHA256 as defined in RFC 5289

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 as defined in RFC 5289

Avoid the following ciphers:
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_ SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_ SHA256

Note: The above DHE ciphers are safe to use only if dh group 14 (2048 bit) key sizes are being used for key exchange.  If a lower dh group size is used with DHE ciphers then your server will be susceptible to the logjam attack.  This setting may have to be set in the openssl code.  There is not a configurable option external to the openssl module.  Apache allows for configuring the dh parameters via their management interface.

The following ciphers should be supported, but aren’t recommended for best practices. The reason is they use RSA for both authentication and key exchange so they use a static public key in a X.509 certificate for key exchange; thus, they do not provide perfect forward secrecy:

TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_ SHA256

The problem with this is that using RSA for key exchange does not provide perfect forward secrecy since you are not using ephimeral “one-time use” keys.

* Setup DH parameters to enable ephemeral DH 2048 cipher suites

  • Use X.509v3 certificates for mutual authentication for server to server authentication.
  • Use: secp256r1, secp384r1, secp521r1
  • Server and Client must reject any connections offering SSL 1.0, SSL 2.0, SSL 3.0, TLS 1.0
  • For most websites, using RSA keys stronger than 2048 bits and ECDSA keys stronger than 256 bits is a waste of CPU resources and might impair user experience. Similarly, increasing the strength of the ephemeral key exchange beyond 256 bits for ECDHE has little benefit.
  • Avoid: OpenSSL v1.0.0 and below EOL, v1.0.1 EOL 12/31/16  https://www.openssl.org/policies/releasestrat.html

More info on why not to use DH and ECDH curves:

The DH and ECDH curves should not be used because they do not provide perfect forward secrecy. The reason is that only Diffie Hellman in ephemeral mode uses “one time use” private keys.  DH and ECDH use values based on the stored certificates.  Chris McNab’s Network Security Assessment book warns “When using DH in a static mode, dh_g, dh_p, dh_Ys, and rand_s are fixed and do not provide forward secrecy.”  Here is another good write-up: http://crypto.stackexchange.com/questions/15329/tls-ssls-usage-of-non-ephemeral-dh-vs-dhe.

Do not use DSA because “A signature scheme based on the digital signature algorithm (DSA, designedby NSA) is used for server authentication, the knowledge of just one signature nonce enables the attacker to compute the server’s secret identity key and thus to impersonate the server.” – Dual EC: A Standardized Back Door Daniel J. Bernstein, Tanja Lange, and Ruben Niederhagen

References:

https://weakdh.org/sysadmin.html

https://www.openssl.org/docs/manmaster/apps/dhparam.html

https://www.commoncriteriaportal.org/files/ppfiles/CPP_ND_V1.0.pdf

https://www.feistyduck.com/books/bulletproof-ssl-and-tls/

https://testssl.sh/openssl-rfc.mappping.html