AnsweredAssumed Answered

Ciphers ordering

Question asked by PhBrand on Jan 5, 2017
Latest reply on Jan 5, 2017 by Stephen_Hughes

Hi,

 

Is there a way to specify that cipher ordering should be in charge of the "server", thus the API Gateway, instead of letting the client decide based upon *his* own cipher list ?

We want to force most "secure" cipher based on our RSA certificate (don't use yet ECDSA for technical reasons).

Is this something that could be achieved through "Advanced Properties" in Listen Port configuration ?

Complimentary question: what about OCSP stapling ?

 

./cipherscan --sigalg --curves xxxx.xxxx.com:8443
....................................................................
Target: xxxx.xxxx.com:8443

prio ciphersuite protocols pfs curves
1 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 ECDH,B-571,570bits sect163k1,sect163r2,sect233k1,sect233r1,sect283k1,sect283r1,sect409k1,sect409r1,sect571k1,sect571r1,prime192v1,secp224r1,prime256v1,secp384r1,secp521r1
2 ECDHE-RSA-AES256-SHA384 TLSv1.2 ECDH,B-571,570bits sect163k1,sect163r2,sect233k1,sect233r1,sect283k1,sect283r1,sect409k1,sect409r1,sect571k1,sect571r1,prime192v1,secp224r1,prime256v1,secp384r1,secp521r1
3 AES256-GCM-SHA384 TLSv1.2 None None
4 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 ECDH,B-571,570bits sect163k1,sect163r2,sect233k1,sect233r1,sect283k1,sect283r1,sect409k1,sect409r1,sect571k1,sect571r1,prime192v1,secp224r1,prime256v1,secp384r1,secp521r1
5 ECDHE-RSA-AES128-SHA256 TLSv1.2 ECDH,B-571,570bits sect163k1,sect163r2,sect233k1,sect233r1,sect283k1,sect283r1,sect409k1,sect409r1,sect571k1,sect571r1,prime192v1,secp224r1,prime256v1,secp384r1,secp521r1
6 AES128-GCM-SHA256 TLSv1.2 None None

Certificate: trusted, 2048 bits, sha256WithRSAEncryption signature
TLS ticket lifetime hint: None
NPN protocols: None
OCSP stapling: not supported
Cipher ordering: client
Curves ordering: client - fallback: no
Server supports secure renegotiation
Server supported compression methods: NONE

 

TLSv1.2 ephemeral sigalgs:
no PFS ECDSA ciphers detected
RSA test: intolerant of sigalg removal
Server side sigalg ordering

 

Supported PFS RSA signature algorithms
prio sigalg
1 SHA256

TLS Tolerance: yes

Outcomes