Jump to content

TLS Cipher Strings


misc

Recommended Posts

Hi there,

 

some of our customers are afraid about using RC4 in the cipher settings of our uniGUIServer. While the default from Indy10 (which is used in uniGUI) uses RC4 we tried to find a solution.

 

In the OWASP (=open software security community) there is a cheat sheet about TLS Cipher Strings. We tried to implement the recommendations for a cipher string and we want to share this with you:

 

Here is the link to the original document: https://www.owasp.org/index.php/TLS_Cipher_String_Cheat_Sheet

 

Please read sections "Scenarios" in the link above to understand the different strength of cipher strings.

 

Option 1 is to hard code the different cipher strings and provide it with a simple function:

function GetCipherList(AStrength: Integer): WideString;
const
  cCIPHER_LIST_1: WideString = 'DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256';
  cCIPHER_LIST_2: WideString = 'DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256';
  cCIPHER_LIST_3: WideString = 'ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA';
  cCIPHER_LIST_4: WideString = 'AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA';
  cCIPHER_LIST_5: WideString = 'DES-CBC3-SHA';

begin
  case AStrength of
    // Advanced Plus (A+)
      1: Result := cCIPHER_LIST_1;
    // Advanced (A)
      2: Result := cCIPHER_LIST_1 + ':' + cCIPHER_LIST_2;
    // Broad Compatibility (
      3: Result := cCIPHER_LIST_1 + ':' + cCIPHER_LIST_2 + ':' + cCIPHER_LIST_3;
    // Widest Compatibility (C)
      4: Result := cCIPHER_LIST_1 + ':' + cCIPHER_LIST_2 + ':' + cCIPHER_LIST_3 + ':' + cCIPHER_LIST_4;
    // Legacy (C-)
      5: Result := cCIPHER_LIST_1 + ':' + cCIPHER_LIST_2 + ':' + cCIPHER_LIST_3 + ':' + cCIPHER_LIST_4 + ':' + cCIPHER_LIST_5;
    else
      Result := EmptyStr;
  end;
end;

procedure TServerModule.UniGUIServerModuleCreate(Sender: TObject);
begin
  inherited;
  SSL.SSLOptions.CipherList := GetCipherList(1);
end;

Option 2 is to use a INI file and define the cipher string there. With this you are more flexible to quickly change the strenght and/or string itself.

 

Comments welcome!

 

Michael

  • Like 1
Link to comment
Share on other sites

×
×
  • Create New...