SSL/TLS/Ciphers Best Practices and Suggested Configurations at NAU

Whether it is Heartbleed, Shellshock, Poodle, or the most recent Freak, attacks on SSL have exposed the
insecurity of the protocol and weak cipher suites. Because of this it has become crucial to configure
servers in as secure a way as possible to provide reliable encryption for data being transmitted. The goal
is to protect data from being intercepted by configuring stronger protocols and cipher suites. The
information here will help provide tools to check your servers, modify configuration settings, and
establish more secure transmissions. Some suggested steps to follow, helpful links, recommendations
and screenshots are provided below:



1. Check the status of your servers using free online tools before and after config changes:
a. SSL Labs free online tool to test your server for certificate, protocols, ciphers.
i. https://www.ssllabs.com/ssltest/
ii. Be sure to click the box Do not show the results on the boards before submit!
b. Comodo SSL Analyzer free online to test your server for certificate, protocols, ciphers.
i. https://sslanalyzer.comodoca.com/

2. Consider a pre-built configuration suggestion: SEE SCREENSHOTS BELOW FOR SAMPLES
a. Mozilla wiki lots of in depth reading, sample configurations and the effect on browser
versions.
i. https://wiki.mozilla.org/Security/Server_Side_TLS
ii. The Intermediate Compatibility is strongly encouraged by ITS.
1. TLSv1, TLSv1.1, TLSv1.2; Key size 2048; SHA2 certificate; Ciphersuites
listed in order of priority.
iii. The Modern Compatibility should be considered if you can guarantee the
browser versions identified are the same used by your end-users.
1. TLSv1.1, TLSv1.2; Key size 2048; SHA2 certificate; Ciphersuites listed in
order of priority.
b. Qualys SSL Labs Best Practices for SSL/TLS Deployment
i. https://www.ssllabs.com/downloads/SSL_TLS_Deployment_Best_Practices.pdf

3. Modify configurations tools to help, illustrate examples, copy-paste:
a. Mozilla Configuration Generator a tool to help to generate a config file quickly
i. https://mozilla.github.io/server-side-tls/ssl-config-generator/
b. IISCrypto free tool from nartac to help Windows Server Administrators quickly
configure
i. https://www.nartac.com/Products/IISCrypto/Default.aspx
c. More from Microsoft on suggested Cipher list, Group Policy usage, via technet here:
i. https://technet.microsoft.com/library/security/MS15-031
ii. The March Windows Updates that were approved include this, 3046049.

NOTE: If you are responsible for a large number of servers where checking the status one-by-one is
overwhelming, please contact infosec@nau.edu and we can coordinate the running of a multi-host scan.

1

Some Helpful Tips & Screen-shots of the above pages:

Certificate Standards
2048 bit or stronger
SHA2
Reliable Certificate Authority (CA)

Protocols
TLSv1.2
Should be the main protocol used.
TLSv1.1
Some older clients or OS levels may rely upon this.
TLSv1.0
If possible do not use or plan for upgrade as soon as possible.
SSLv2
Must not be used, insecure.
SSLv3
Should not be used, insecure with HTTP and weak with other protocols.

Cipher Suites
Use ciphers that provide 128 bits or greater security
Give priority to highest strength ciphers by ordering them first in config lists
Use suites that support forward secrecy whenever possible, and give them priority
Do not use Anonymous suites (no authentication)
Do not use NULL cipher suites (no encryption)
Do not use weak ciphers, such as 40 or 56 bits, where encryption is easily broken
Remove/Disable RC4 cipher suites as soon as possible
Disable SSLv2 if not already done
Disable SSLv3 as soon as possible (the most recent attacks target this)

Screen Shots of Sample Configs, links to help build settings for copy-paste:

Mozilla SSL Generator Tool For Apache, Nginx, OpenSSL:

Mozilla Wiki Recommended Configurations, Intermediate is strongly encouraged:

Microsoft Technet, SChannel, gpedit: