Use: TLS v1.1 and 1.2
Avoid: TLSv1.0 or lower or SSLv3 or lower
TLS Recommended Ciphers:
Avoid the following ciphers:
Note: The above DHE ciphers are safe to use only if dh group 14 (2048 bit) key sizes are being used for key exchange. If a lower dh group size is used with DHE ciphers then your server will be susceptible to the logjam attack. This setting may have to be set in the openssl code. There is not a configurable option external to the openssl module. Apache allows for configuring the dh parameters via their management interface.
The following ciphers use RSA for both authentication and key exchange do not provide perfect forward secrecy :
The problem with this is that using RSA for key exchange does not provide perfect forward secrecy since you are not using ephimeral “one-time use” keys.
* Setup DH parameters to enable ephemeral DH 2048 cipher suites
- Use X.509v3 certificates for mutual authentication for server to server authentication.
- Use: secp256r1, secp384r1, secp521r1
- Server and Client must reject any connections offering SSL 1.0, SSL 2.0, SSL 3.0, TLS 1.0
- For most websites, using RSA keys stronger than 2048 bits and ECDSA keys stronger than 256 bits is a waste of CPU resources and might impair user experience. Similarly, increasing the strength of the ephemeral key exchange beyond 256 bits for ECDHE has little benefit.
- Avoid: OpenSSL v1.0.0 and below EOL, v1.0.1 EOL 12/31/16 https://www.openssl.org/policies/releasestrat.html
More info on why not to use ECDH cruves:
The ecdh curves should not be used because they do not provide perfect forward secrecy. The reason is that only Diffie Hellman in ephemeral mode uses “one time use” private keys. DH and ECDH use values based on the stored certificates. Chris McNab’s Network Security Assessment book warns “When using DH in a static mode, dh_g, dh_p, dh_Ys, and rand_s are fixed and do not provide forward secrecy.” Here is another good write-up: http://crypto.stackexchange.com/questions/15329/tls-ssls-usage-of-non-ephemeral-dh-vs-dhe.