freeipa/contrib/nssciphersuite/README.txt

Cipher suite for mod_nss
------------------------

The nssciphersuite.py script parses mod_nss' nss_engine_cipher.c file and
creates a list of secure cipher suites for TLS. The script filters out
insecure, obsolete and slow ciphers according to some rules.

As of January 2016 and mod_nss 1.0.12 the cipher suite list contains 14
cipher suites for TLS 1.0, 1.1 and 1.2 for RSA and ECDSA certificates. The
cipher suite list also supports Perfect Forward Secrecy with ephemeral ECDH
key exchange. https://www.ssllabs.com/ gives a 'A' grade.

Note:
No suite is compatible with IE 8 and earlier on Windows XP. If you need IE 8
support, append "+rsa_3des_sha" to enable TLS_RSA_WITH_3DES_EDE_CBC_SHA.

# disabled cipher attributes: SSL_3DES, SSL_CAMELLIA, SSL_CAMELLIA128, SSL_CAMELLIA256, SSL_DES, SSL_DSS, SSL_MD5, SSL_RC2, SSL_RC4, SSL_aDSS, SSL_aNULL, SSL_eNULL, SSL_kECDHe, SSL_kECDHr, kECDH
# weak strength: SSL_EXPORT40, SSL_EXPORT56, SSL_LOW, SSL_STRONG_NONE
# enabled cipher suites:
#   TLS_RSA_WITH_AES_128_CBC_SHA256
#   TLS_RSA_WITH_AES_256_CBC_SHA256
#   TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
#   TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
#   TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
#   TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
#   TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
#   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
#   TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
#   TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
#   TLS_RSA_WITH_AES_128_GCM_SHA256
#   TLS_RSA_WITH_AES_128_CBC_SHA
#   TLS_RSA_WITH_AES_256_GCM_SHA384
#   TLS_RSA_WITH_AES_256_CBC_SHA
#

NSSCipherSuite +aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha
Modernize mod_nss's cipher suites The list of supported TLS cipher suites in /etc/httpd/conf.d/nss.conf has been modernized. Insecure or less secure algorithms such as RC4, DES and 3DES are removed. Perfect forward secrecy suites with ephemeral ECDH key exchange have been added. IE 8 on Windows XP is no longer supported. The list of enabled cipher suites has been generated with the script contrib/nssciphersuite/nssciphersuite.py. TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_256_CBC_SHA https://fedorahosted.org/freeipa/ticket/5589 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com> 2016-01-21 09:09:10 -06:00			`Cipher suite for mod_nss`
			`------------------------`

			`The nssciphersuite.py script parses mod_nss' nss_engine_cipher.c file and`
			`creates a list of secure cipher suites for TLS. The script filters out`
			`insecure, obsolete and slow ciphers according to some rules.`

			`As of January 2016 and mod_nss 1.0.12 the cipher suite list contains 14`
			`cipher suites for TLS 1.0, 1.1 and 1.2 for RSA and ECDSA certificates. The`
			`cipher suite list also supports Perfect Forward Secrecy with ephemeral ECDH`
			`key exchange. https://www.ssllabs.com/ gives a 'A' grade.`

			`Note:`
			`No suite is compatible with IE 8 and earlier on Windows XP. If you need IE 8`
			`support, append "+rsa_3des_sha" to enable TLS_RSA_WITH_3DES_EDE_CBC_SHA.`

			`# disabled cipher attributes: SSL_3DES, SSL_CAMELLIA, SSL_CAMELLIA128, SSL_CAMELLIA256, SSL_DES, SSL_DSS, SSL_MD5, SSL_RC2, SSL_RC4, SSL_aDSS, SSL_aNULL, SSL_eNULL, SSL_kECDHe, SSL_kECDHr, kECDH`
			`# weak strength: SSL_EXPORT40, SSL_EXPORT56, SSL_LOW, SSL_STRONG_NONE`
			`# enabled cipher suites:`
			`# TLS_RSA_WITH_AES_128_CBC_SHA256`
			`# TLS_RSA_WITH_AES_256_CBC_SHA256`
			`# TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`
			`# TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA`
			`# TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`
			`# TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA`
			`# TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`
			`# TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA`
			`# TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`
			`# TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA`
			`# TLS_RSA_WITH_AES_128_GCM_SHA256`
			`# TLS_RSA_WITH_AES_128_CBC_SHA`
			`# TLS_RSA_WITH_AES_256_GCM_SHA384`
			`# TLS_RSA_WITH_AES_256_CBC_SHA`
			`#`

			`NSSCipherSuite +aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha`