https://community.hpe.com/t5/operating-system-linux/ciphers-suites-to-diable/m-p/4174039#M32134 Hello all<BR />which of the following cipher suites is the weakest?<BR />I should disable the weakest in order to adding more security on the system.<BR />Obviously i need to forecast impacts in disabling the cipher suite, man pages are not so helpfull.<BR /><BR />&gt; openssl ciphers -v<BR />DHE-RSA-AES256-SHA<BR />DHE-DSS-AES256-SHA<BR />AES256-SHA<BR />EDH-RSA-DES-CBC3-SHA<BR />EDH-DSS-DES-CBC3-SHA<BR />DES-CBC3-SHA<BR />DES-CBC3-MD5<BR />DHE-RSA-AES128-SHA<BR />DHE-DSS-AES128-SHA<BR />AES128-SHA<BR />IDEA-CBC-SHA<BR />IDEA-CBC-MD5<BR />RC2-CBC-MD5<BR />DHE-DSS-RC4-SHA<BR />RC4-SHA<BR />RC4-MD5<BR />RC4-MD5<BR />RC4-64-MD5<BR />EXP1024-DHE-DSS-DES-CBC-SHA<BR />EXP1024-DES-CBC-SHA<BR />EXP1024-RC2-CBC-MD5<BR />EDH-RSA-DES-CBC-SHA<BR />EDH-DSS-DES-CBC-SHA<BR />DES-CBC-SHA<BR />DES-CBC-MD5<BR />EXP1024-DHE-DSS-RC4-SHA<BR />EXP1024-RC4-SHA<BR />EXP1024-RC4-MD5<BR />EXP-EDH-RSA-DES-CBC-SHA<BR />EXP-EDH-DSS-DES-CBC-SHA<BR />EXP-DES-CBC-SHA<BR />EXP-RC2-CBC-MD5<BR />EXP-RC2-CBC-MD5<BR />EXP-RC4-MD5<BR />EXP-RC4-MD5<BR /><BR /><BR />Thanks in advance <BR />RV Fri, 04 Apr 2008 12:06:14 GMT Roberto Volsa 2008-04-04T12:06:14Z https://community.hpe.com/t5/operating-system-linux/ciphers-suites-to-diable/m-p/4174039#M32134 Hello all<BR />which of the following cipher suites is the weakest?<BR />I should disable the weakest in order to adding more security on the system.<BR />Obviously i need to forecast impacts in disabling the cipher suite, man pages are not so helpfull.<BR /><BR />&gt; openssl ciphers -v<BR />DHE-RSA-AES256-SHA<BR />DHE-DSS-AES256-SHA<BR />AES256-SHA<BR />EDH-RSA-DES-CBC3-SHA<BR />EDH-DSS-DES-CBC3-SHA<BR />DES-CBC3-SHA<BR />DES-CBC3-MD5<BR />DHE-RSA-AES128-SHA<BR />DHE-DSS-AES128-SHA<BR />AES128-SHA<BR />IDEA-CBC-SHA<BR />IDEA-CBC-MD5<BR />RC2-CBC-MD5<BR />DHE-DSS-RC4-SHA<BR />RC4-SHA<BR />RC4-MD5<BR />RC4-MD5<BR />RC4-64-MD5<BR />EXP1024-DHE-DSS-DES-CBC-SHA<BR />EXP1024-DES-CBC-SHA<BR />EXP1024-RC2-CBC-MD5<BR />EDH-RSA-DES-CBC-SHA<BR />EDH-DSS-DES-CBC-SHA<BR />DES-CBC-SHA<BR />DES-CBC-MD5<BR />EXP1024-DHE-DSS-RC4-SHA<BR />EXP1024-RC4-SHA<BR />EXP1024-RC4-MD5<BR />EXP-EDH-RSA-DES-CBC-SHA<BR />EXP-EDH-DSS-DES-CBC-SHA<BR />EXP-DES-CBC-SHA<BR />EXP-RC2-CBC-MD5<BR />EXP-RC2-CBC-MD5<BR />EXP-RC4-MD5<BR />EXP-RC4-MD5<BR /><BR /><BR />Thanks in advance <BR />RV Fri, 04 Apr 2008 12:06:14 GMT https://community.hpe.com/t5/operating-system-linux/ciphers-suites-to-diable/m-p/4174039#M32134 Roberto Volsa 2008-04-04T12:06:14Z https://community.hpe.com/t5/operating-system-linux/ciphers-suites-to-diable/m-p/4174040#M32135 If you are setting up a public site, you'll need to know what algorithms are most likely to be supported by the various client applications. It's no good to have a secure site, if it is inaccessible by your potential users.<BR /><BR />To get up-to-date information, you should Google for recent research on cryptography and SSL/TLS usage.<BR /><BR />For example, a search with words "crypto algorithm strength compare" produced this hit that looks useable for you:<BR /><A href="http://www.imconf.net/imc-2007/papers/imc130.pdf" target="_blank">http://www.imconf.net/imc-2007/papers/imc130.pdf</A><BR /><BR />A quick summary:<BR /><BR />Single-DES is far too weak, so you should disallow DES-CBC-SHA and DES-CBC-MD5.<BR /><BR />Triple-DES (DES-CBC3-*) is still adequate, but inefficient: it's slower than other algorithms of equivalent strength. You should prefer something else over triple-DES, but you can still allow triple-DES if necessary for compatibility.<BR /><BR />You should prefer <ANYTHING>-SHA over <ANYTHING>-MD5, although both SHA and MD5 seem to be still OK (so far) when used in the specific way SSL 3.0 and TLS 1.0 use them.<BR /><BR />Whatever you do, avoid SSL version 2.0 if possible: that protocol version has serious flaws that can undermine the strength of any cipher used with it.<BR /><BR />MK</ANYTHING></ANYTHING> Sat, 05 Apr 2008 11:37:58 GMT https://community.hpe.com/t5/operating-system-linux/ciphers-suites-to-diable/m-p/4174040#M32135 Matti_Kurkela 2008-04-05T11:37:58Z