Secure crypto ciphers CentOS

Here are two lists of secure (at date of writing) ciphers for the CentOS/RHEL operating system. These lists are not complete but only reduced to RSA/AES encryption ciphers which are considered secure. Use following command to get all supported ciphers on your OS:

openssl ciphers -v ALL

Following string uses secure ciphers while keeping some of the older secure ciphers available. This string can be used in apache, postfix or others:

ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5

CentOS 6+7:

ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-SHA384
ECDHE-RSA-AES256-SHA
DHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES256-SHA256
DHE-RSA-AES256-SHA
ECDH-RSA-AES256-GCM-SHA384
ECDH-RSA-AES256-SHA384
ECDH-RSA-AES256-SHA
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES128-SHA
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES128-SHA256
DHE-RSA-AES128-SHA
ECDH-RSA-AES128-GCM-SHA256
ECDH-RSA-AES128-SHA256
ECDH-RSA-AES128-SHA

 

CentOS 5:

DHE-RSA-AES256-SHA
DHE-RSA-AES128-SHA

Generating a Unique DH (Diffie-Hellman) Group

Due to a recent D(iffie)H(ellman) attack possibility called LogJam on lower paramter lengths like 512 bit and maybe, in short future, 768 bit, here the command to create a real strong parameter of 4096 bit:

openssl dhparam -out dhparams.pem 4096

 

Please be aware that this key creation can take up to 20 minutes and evern longer depending on your CPU.

Most software (apache, postfix, sendmail, dovecot etc) have config parameters where you can set the Diffie-Hellman group file. The DH algorithm is used to create secure keys when using connections over SSL/TLS.

More information about configuring different servers can be found here.