Better explanation of ephemeral keys
This whitepaper arose out of the need for system administrators to have an
updated, solid, well researched and thought-through guide for configuring SSL,
This whitepaper arose out of the need for system administrators to have an
updated, solid, well researched and thought-through guide for configuring SSL,
\end{tabular}
\end{center}
\end{tabular}
\end{center}
-A remark on the ``consider'' section: the BSI (Bundesamt f\"ur Sicherheit in der Informationstechnik, Germany) recommends in its technical report TR-02102-2\footnote{\url{https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102-2_pdf.html}} to \textbf{avoid} non-ephemeral\footnote{ephemeral keys are session keys which are destroyed upon termination of the encrypted session} keys for any communication which might contain personal or sensitive data. In this document, we follow BSI's advice and therefore only keep cipher suites containing (EC)DH\textbf{E} variants. System administrators, who can not use perfect forward secrecy can still use the cipher suites in the consider section. We however, do not recommend them in this document.
+A remark on the ``consider'' section: the BSI (Bundesamt f\"ur Sicherheit in der Informationstechnik, Germany) recommends in its technical report TR-02102-2\footnote{\url{https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102-2_pdf.html}} to \textbf{avoid} non-ephemeral\footnote{ephemeral keys are session keys which are destroyed upon termination of the encrypted session. In TLS/SSL, they are realized by the DHE cipher suites. } keys for any communication which might contain personal or sensitive data. In this document, we follow BSI's advice and therefore only keep cipher suites containing (EC)DH\textbf{E} variants. System administrators, who can not use perfect forward secrecy can still use the cipher suites in the consider section. We however, do not recommend them in this document.
Note that the entries marked as "special" are cipher suites which are not common to all clients (webbrowsers etc).
Note that the entries marked as "special" are cipher suites which are not common to all clients (webbrowsers etc).
Note: a "\textbackslash" (backslash) denotes a line continuation which was wrapped due to formatting reasons here. Do not copy it verbatim.
\begin{verbatim}
Note: a "\textbackslash" (backslash) denotes a line continuation which was wrapped due to formatting reasons here. Do not copy it verbatim.
\begin{verbatim}
+ SSLProtocol +TLSv1.1 +TLSv1.2
SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:\
ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:\
SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:\
ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:\
git.bettercrypto.org / ach-master.git / commitdiff