%%\subsection{Recommended cipher suites}
-In principle, system administrators who want to improve their servers need to
-make a hard decision between locking out some users while keeping very high
-cipher suite security levels or supporting as many users as possible while
-lowering some settings. \url{https://www.ssllabs.com/} gives administrators a
-tool to test out different settings. The authors of this guide used ssllabs.com
+In principle system administrators who want to improve their servers have ton
+make a difficult decision between locking out some users and keeping high
+cipher suite security while supporting as many users as possible.
+The website \url{https://www.ssllabs.com/} gives administrators a
+tool to test their setup. The authors made use of ssllabs.com
to arrive at a set of cipher suites which we will recommend throughout this
-document. \textbf{Caution: these settings can only represent a subjective
+document.\\
+
+\textbf{Caution: these settings can only represent a subjective
choice of the authors at the time of this writing. It might be a wise choice to
select your own cipher suites based on the instructions in section
\ref{section:ChoosingYourOwnCipherSuites}}.
\subsubsection{Configuration A: strong ciphers, fewer clients}
-At the time of this writing, we recommend the following set of strong cipher
-suites which may be useful in an environment where you do not depend on many,
-diverse external clients and where compatibility is not an issue. An example
-of such an environment might be machine 2 machine communications or corporate
-environments where you can define the software which must be used.
+At the time of writing we recommend the following set of strong cipher
+suites which may be useful in an environment where one does not depend on many,
+different clients and where compatibility is not a big issue. An example
+of such an environment might be machine-to-machine communication or corporate
+deployments where software that is to be used can be defined freely.
-We arrived at this set of cipher suites by selecting
+We arrived at this set of cipher suites by selecting:
\begin{itemize}
\item TLS 1.2
\subsubsection{Configuration B: weaker ciphers, many clients}
-In this section we propose a slightly "weaker" set of cipher suites. For example, there are
-some known weaknesses for SHA-1 which is included in this set.
+In this section we propose a slightly weaker set of cipher suites.
+For example, there are some known weaknesses for SHA-1 which is included in this set.
However, the advantage of this set of cipher suites is its wider compatibility
-with clients.
-
-
-\textbf{In the following document, all further examples in this paper will use Configuration B}.
+with clients as well as less computational overhead.\\
+\textbf{All further examples in this paper use Configuration B}.\\
-We arrived at this set of cipher suites by selecting
+We arrived at this set of cipher suites by selecting:
\begin{itemize}
\item TLS 1.2, TLS 1.1, TLS 1.0
This results in the string:
\begin{lstlisting}[breaklines]
-old (pre 20131202): 'EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EDH+CAMELLIA256:EECDH:EDH+aRSA:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!AES128:!CAMELLIA128:!ECDSA:AES256-SHA'
-
-newest 20131202:
'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA'
-
\end{lstlisting}
-\todo{adapt this table to the "newest" cipher string} \\
\todo{make a column for cipher chaining mode}
\begin{center}
\begin{tabular}{lllllll}