Changes

GC HTTPS Web Server Config (view source)

Revision as of 13:23, 18 March 2019

1,086 bytes added , 13:23, 18 March 2019

Line 17: Line 17:

Departments should choose TLS cipher suites using ephemeral Diffie-Hellman (DH) and ephemeral Elliptic Curve Diffie-Hellman (ECDH) (those with DHE or ECDHE specified in the cipher suite name) since they provide perfect forward secrecy. When using a cipher suite that provides perfect forward secrecy, the compromise of a long-term private key used in deriving a subsequent session key does not cause the compromise of prior session keys.

<br>

+

===About Cipher Suites===

+

A cipher suite is a defined set of algorithms used to secure network connections between two end points (e.g.: user client and server). In the TLS handshake, cipher suites are presented by both the client and server as a means to agree on a communications scheme, and determine a common code to use. TLS 1.2 cipher suites include an initial key exchange algorithm, a bulk/message encryption algorithm, and a message authentication code, as in the example below:

+

'''TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384'''

+

+

The meaning of this name is:

+

* ''TLS'' defines the protocol that this cipher suite is for; it will usually be TLS.

+

* ''ECDHE_ECDSA'' indicates the key exchange algorithm being used. The key exchange algorithm is used to determine if and how the client and server will authenticate during the handshake.

+

* ''AES_256_GCM'' indicates the block cipher being used to encrypt the message stream, together with the block cipher mode of operation.

+

* ''SHA384'' indicates the message authentication algorithm which is used to authenticate a message.

+

===Secure configuration advice recommendations===

In general, when configuring servers:

Tim.allardyce

263

edits