More specifically, Dylan can help configure Linux systems and Jonathan can help with any Windows configuration questions. You may contact any of the above for general advice or configuration verification. If you have any questions and/or concerns, please do not hesitate to contact Mike Lang, Dylan Marquis, or Jonathan Gill. You can also download the SHA-2 intermediate certificate from the following link: incommon_sha2_interm.crtįor additional reference, please refer to following URL: Security/Sever Side TLS. InCommon is an Intermediate CA (signing certificate on behalf of Comodo), so the InCommon intermediate certificate is required to provide proper validation of the service’s certificate. To insure the proper functionality of services utilizing InCommon certificates, the intermediate certificate (provided by InCommon via the Certificate Manager) should be included in the certificate chain. Apache on Windows utilizes OpenSSL and requires an application-specific configuration change to adhere to these standards. This particular tool is targeted towards web applications that are delivered via IIS. Depending upon the application and operating system, the procedure and tools may vary. Typically, I find that FIPS 140-2 present template will configure your server to meet the above standards. 2030.įor the Windows environment, Nartac Software offers a free tool known as IIS Crypto that gives administrators the ability to customize the operating systems SSL/TLS protocols, ciphers, hashes, key exchanges, and specify the cipher suite order. NIST speculates that a 2048-bit key won’t be compromised until approx. The minimum key length is 2048-bit, moving beyond this is computationally intensive with little immediate security gain. The order of the cipher suites here is important, as it determines which algorithms will be selected in priority The standard above prioritizes algorithms that provide perfect forward secrecy. To accommodate a wide range of client/server combinations, the following information should be used as the minimum standard to ensure that you are achieving the best possible protection without compromising compatibility with most major client operating systems:Ĭipher Suites: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3- SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA There are two fundamental changes we would like to move towards to enhance our security posture, the use of the SHA-2 signed certificates and to disable SSL v.3.0 server-side support.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |