What SSL Ciphers and Protocols should I use?

system

Introduction

LogonBox products support a wide range of SSL Protocols and Ciphers.

This article describes which subset of protocols and ciphers to use in order to give the most secure connection possible.

 

SSL Configuration

Log on to LogonBox as the admin account.

Navigate to System Configuration in the top navbar then click on the SSL tab. This will show you the list of protocols and ciphers as in the image below.

 

LogonBox comes preconfigured with a strong set of ciphers and protocols but if you want to change anything, here are some hints.

For Protocols, it is recommended to Exclude SSLv3 (which is done by default), but you may wish to exclude TLSv1 or TLSv1.1. To do this, click the up arrow on the protocol and it will move it to the Excluded section.

For the Ciphers, the easiest way is probably to follow these rules:

  1. Remove any cipher that does not start with TLS_DHE, TLS_ECDE or TLS_EMPTY.
  2. Now remove these specific ciphers if they are in Included:
    • TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
    • TLS_DHE_RSA_WITH_AES_128_CBC_SHA
    • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
    • TLS_DHE_RSA_WITH_AES_256_CBC_SHA
    • TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
  3. Lastly remove any cipher which has the word NULL anywhere in the name.

 You should be left with the following list of ciphers:

  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_DHE_DSS_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_DHE_DSS_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
  • TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_EMPTY_RENEGOTIATION_INFO_SCSV

Once you have the correct list, click the Apply button to save the changes, then restart the LogonBox service using the Power icon at the bottom right of the screen.