diff options
Diffstat (limited to 'contrib/nssciphersuite/README.txt')
-rw-r--r-- | contrib/nssciphersuite/README.txt | 36 |
1 files changed, 36 insertions, 0 deletions
diff --git a/contrib/nssciphersuite/README.txt b/contrib/nssciphersuite/README.txt new file mode 100644 index 000000000..c36594b9b --- /dev/null +++ b/contrib/nssciphersuite/README.txt @@ -0,0 +1,36 @@ +Cipher suite for mod_nss +------------------------ + +The nssciphersuite.py script parses mod_nss' nss_engine_cipher.c file and +creates a list of secure cipher suites for TLS. The script filters out +insecure, obsolete and slow ciphers according to some rules. + +As of January 2016 and mod_nss 1.0.12 the cipher suite list contains 14 +cipher suites for TLS 1.0, 1.1 and 1.2 for RSA and ECDSA certificates. The +cipher suite list also supports Perfect Forward Secrecy with ephemeral ECDH +key exchange. https://www.ssllabs.com/ gives a 'A' grade. + +Note: +No suite is compatible with IE 8 and earlier on Windows XP. If you need IE 8 +support, append "+rsa_3des_sha" to enable TLS_RSA_WITH_3DES_EDE_CBC_SHA. + +# disabled cipher attributes: SSL_3DES, SSL_CAMELLIA, SSL_CAMELLIA128, SSL_CAMELLIA256, SSL_DES, SSL_DSS, SSL_MD5, SSL_RC2, SSL_RC4, SSL_aDSS, SSL_aNULL, SSL_eNULL, SSL_kECDHe, SSL_kECDHr, kECDH +# weak strength: SSL_EXPORT40, SSL_EXPORT56, SSL_LOW, SSL_STRONG_NONE +# enabled cipher suites: +# TLS_RSA_WITH_AES_128_CBC_SHA256 +# TLS_RSA_WITH_AES_256_CBC_SHA256 +# TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 +# TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA +# TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 +# TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA +# TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 +# TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA +# TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 +# TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA +# TLS_RSA_WITH_AES_128_GCM_SHA256 +# TLS_RSA_WITH_AES_128_CBC_SHA +# TLS_RSA_WITH_AES_256_GCM_SHA384 +# TLS_RSA_WITH_AES_256_CBC_SHA +# + +NSSCipherSuite +aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha |