Cipher Suite to use for Apache/Tomcat

0 Likes
over 4 years ago

Required to be PCI, NIST or HIPAA compliant and wonder what cipher suites are needed to be used?

All of the ciphers listed are Forward Secrecy (FS) enabled and are highly recommended. They work with pretty much everything you could possibly run into at client sites. Not all of them are supported under Tomcat, but are supported for Apache.  If certain ones do not work for the product under Tomcat, it will just skip that cipher and go down the list until it finds one it does work with for connections.

For PCI use these

 

TLS 1.2 (suites in server-preferred order)

 

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

 

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

 

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

 

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

 

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

 

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

 

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

 

TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

 

TLS_DHE_RSA_WITH_AES_256_CBC_SHA

 

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

 

TLS_DHE_RSA_WITH_AES_128_CBC_SHA256

 

TLS_DHE_RSA_WITH_AES_128_CBC_SHA

 

TLS 1.1 (suites in server-preferred order)

 

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

 

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

 

TLS_DHE_RSA_WITH_AES_256_CBC_SHA

 

TLS_DHE_RSA_WITH_AES_128_CBC_SHA

 

TLS 1.0 (suites in server-preferred order)

 

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

 

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

 

TLS_DHE_RSA_WITH_AES_256_CBC_SHA

 

TLS_DHE_RSA_WITH_AES_128_CBC_SHA

 

For NIST/HIPAA compliance add

 

TLSv1.2

 

TLS_RSA_WITH_AES_128_CBC_SHA

 

TLS_RSA_WITH_AES_128_GCM_SHA256

 

TLSv1.1

 

TLS_RSA_WITH_3DES_EDE_CBC_SHA

 

TLS_RSA_WITH_AES_128_CBC_SHA

 

TLSv1.0

 

TLS_RSA_WITH_3DES_EDE_CBC_SHA

 

TLS_RSA_WITH_AES_128_CBC_SHA

Labels:

How To-Best Practice
Comment List
Anonymous
Related Discussions
Recommended