What SSL Ciphers and Protocols should I use?

Introduction

Hypersocket products support a wide range of SSL Protocols and Ciphers.

This article describes which subset of protocols and ciphers to use in order to give the most secure connection possible.

 

SSL Configuration

Log on to Hypersocket as the admin account.

 

Navigate to System->Configuration, then click on the SSL tab. This will show you the list of procols and ciphers as in the image above.

For Protocols, it is recommended to remove SSLv3. To do this, select that item in the list on the right, then click the left arrow button.

For the Ciphers, the easiest way is probably to follow these rules:

  1. Remove any cipher that does not start with TLS_DHE, TLS_ECDE or TLS_EMPTY.
  2. Now remove these specific ciphers:
    • TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
    • TLS_DHE_RSA_WITH_AES_128_CBC_SHA
    • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
    • TLS_DHE_RSA_WITH_AES_256_CBC_SHA
    • TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
  3. Lastly remove any cipher which has the word NULL anywhere in the name (2 of them are usually left at this point).

 You should be left with the following list of ciphers:

  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_DHE_DSS_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_DHE_DSS_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
  • TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_EMPTY_RENEGOTIATION_INFO_SCSV

Once you have the correct list, click the Apply button to save the changes, then restart the Hypersocket service using the Power icon at the top right of the screen.

Have more questions? Submit a request

Comments