Mozilla recommended ciphers

[nodesocket]

Mozilla recommends config generator:

ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

Yet you recommend:

EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5

Which should be used?

[jedisct1]

This repository contains the cipher suite used by Cloudflare.

This is not a "recommended" configuration that everyone should use. It's an excellent balance between security and speed, which is critical for Cloudflare.

And even though the notation differs, there is a lot of overlap in the actual set of ciphers included in both configurations.

Mozilla's recommended configuration includes DHE suites which can be important if you want to provide forward secrecy with old browsers/clients.

However, DHE is computationally intensive compared to ECDHE (EECDH in CF's configuration, which is just a different name). At Cloudflare's scale where every single CPU cycle counts, this is significant. At most people's scale, accepting DHE suites is totally fine and usually not a bad idea. Hence, this is recommended by Mozilla.

Cloudflare's configuration places ChaCha20-Poly1305, which is only available in LibreSSL and BoringSSL, before AES-GCM. ChaCha20-Poly1305 is interesting on devices that don't have hardware-accelerated AES; mainly mobile devices. On modern Intel CPUs, AES-GCM is way faster. Cloudflare intelligently picks ChaCha20-Poly1305 or AES-GCM according to what is expected to be faster on the client.

But the same configuration can be suboptimal in other contexts. Connect with LibreSSL with the default client configuration, and it is likely to use ChaCha20-Poly1305, even if the second and faster option, hardware-accelerated AES-GCM could have been used.

Mozilla's configuration doesn't include ChaCha20-Poly1305, partly because Firefox doesn't support it yet, partly because having AES-GCM as a first choice if it cannot be given the same priority as ChaCha20-Poly1305, is a safe bet.

Finally, the recommended configuration depends on your needs. Mozilla has three recommended configurations. A "modern" one for recent browsers, a more conservative one, and one that should be used as a last resort only. Cloudflare's configuration tolerates 3DES for old browsers, whereas Mozilla's modern configuration considers it obsolete and only trusts AES as a block cipher.

TL;DR Unless you are Cloudflare, you probably want to use one of Mozilla's configurations.

[nodesocket]

@jedisct1 wow, amazing response thanks so much.

Changed our ciphers to use Mozilla. I was unaware that the listed ciphers here are tuned for CF scale, and not recommended for general consumption.

[PiotrSikora]

@nodesocket: they are perfectly fine for general consumption ;)