May 7, 2014

How To Force 256 Bit Encryption Using GnuTLS in Ubuntu

In my quest to have the most secure mail server on the planet I keep tinkering with my SSL settings. In my latest experiment I wanted to see if I could force 256 bit encryption. Before my experiment, in my Apache config for SSL I had the following GnuTLSPriorities set:

GnuTLSPriorities SECURE256:-VERS-SSL3.0:-VERS-TLS1.0:-ARCFOUR-128:-RSA
That was pretty good, but most browsers would revert back to 128 bit cyphers for performance. I wanted to force 256 bit for security damn it!

I decided to add a few more entries under GnuTLSPriorities that removed anything less than 256 bit ciphers. I changed my config to read:
GnuTLSPriorities Secure256:-VERS-SSL3.0:-VERS-TLS1.0:-ARCFOUR-128:-RSA:-AES-128-CBC:-CAMELLIA-128-CBC:-3DES-CBC
What that does is restricts everything to TLS 1.1 or TLS 1.2 and only uses the following ciphers:
Of course not all browsers will support this configuration, but since I'm the only one using my mail server, I don't care. It is something for you to think about though.
Enhanced by Zemanta

Twitter Delicious Facebook Digg Stumbleupon Favorites More

Design by Free WordPress Themes | Bloggerized by Lasantha - Premium Blogger Themes | stopping spam