My choices for TLS 1.2 and TLS 1.3
Enable TLS 1.2 now! Starting from March 2020, the most used browsers will no longer have the support for TLS 1.0 and TLS 1.1 protocols as has already happened for all versions of SSL in past years. If the applications that do not support TLS 1.2 or higher remain active, it will be possible to incur traffic loss. Later there will be new updates to the client browsers and it will no longer be possible to establish an HTTPS connection.
The main browsers announcements here:
• Chrome – from version 81
• Firefox – from march 2020
• Safari – from march 2020
• Edge – Q2 2020
TLS 1.2 on servers should have been a standard for years but TLS 1.3 has actually been available on browsers by default for a short time. Here is a summary of the minimum versions:
TLS 1.2 from v. 30 – TLS 1.3 from v. 67
TLS 1.2 from v. ESR 31 – TLS 1.3 from v. 60
TLS 1.2 from v. 8 – TLS 1.3 from v. 13
TLS 1.2 only up to v. 44 – both from v. 80 (chromium based)
TLS 1.2 from v. 17 – TLS 1.3 from v. 57
Transport Layer Security (TLS), and its now-deprecated predecessor, Secure Sockets Layer (SSL), are cryptographic protocols designed to provide communications security over a computer network. Several versions of the protocols find widespread use in applications such as web browsing, email, instant messaging, and voice over IP (VoIP). Websites can use TLS to secure all communications between their servers and web browsers.source: Wikipedia
Here my list of the ciphers
AES256-GCM-SHA384 AES128-GCM-SHA256 CHACHA20-POLY1305-SHA256 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-RSA-CHACHA20-POLY1305 ECDHE-RSA-ARIA256-GCM-SHA384 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-ARIA128-GCM-SHA256 ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-AES128-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-GCM-SHA256
Why did I choose this order?
I read lots of documents and there is no only one view about the order. I selected this order of ciphers with these simple reasons:
- ECDHE > DHE
- GCM > CHACHA20 > others
- AES256 > AES128
- ECDHE-ECDSA-AES128-GCM-SHA256 is the “most popular” cipher for TLS 1.2 so I put it at the top of the list
The steps to be performed in a nutshell
- Here you can make a quick check of which versions of SSL / TLS are available on Public URLs.
- Enable TLS 1.2.
- Enabling TLS 1.3 is strongly recommended.
- Disable TLS 1.0 and 1.1 and all versions of SSL.
- Disable ECC curves < P_256
- Enable secure renegotiation.
- Enabling OCSP Stapling is optional but recommended.
- Enabling HSTS is optional but recommended. The impact of this configuration must be well assessed!
- CAA record on DNS configuration is optional but recommended.
- In order to use the DHE ciphers you need to configure the DH key.
To have compaibility with old systems (Win7/8.1, Safari 6-8, iOS 6/7/8.4, OSX 10.9/10.10) you can add this cipher: