Encryption Protocols and Ciphers

Discover how Pleasant Password Server will enhance KeePass for business

One of the Best Practices for Pleasant Password Server is to disable methods of SSL/TLS encryption that are found to be insecure.

Pleasant Password Server negotiates the best connection possible between your server and client in order to communicate in the most secure protocol & cipher available on your browser/machine/device. However, it is important to ensure that the best and most secure lines of communication are available and that the insecure ones are not.

This is best accomplished by:

1. Keep Machine, OS, & Browsers are updated regularly: helps to automatically keep pace with the ever-changing security / protocol algorithm improvements, as these get reviewed and updated often
2. Disable Insecure Protocols: ensure that insecure clients will not communicate with us in vulnerable protocols / algorithms
3. Keep Password Server up-to-date: ensure the latest security patches, fixes, & configurations are applied
4. Use Secure Certificates: will help to ensure the connection uses the best encryption strength possible

Topic Sections:

• SSL/TLS Versions
• 1. Test Your Encryption
• 2. Use the Strongest Encryption
• 3. How To Disable Insecure Server Ciphers
• Recommended Algorithms & Ciphers

The Most Secure SSL/TLS Versions

• TLS 1.3 is faster, more secure, default in browsers
• TLS 1.2 has been a long held standard
• TLS 1.1 reached end of life in 2018
• TLS 1.0 protocols are insecure
• SSL 1.0, 2.0, 3.0; PCT 1.0 are all deprecated and should not be used

Also:

• QUIC (in HTTP/3): intended to replace TLS

Test Your Encryption

You can test the connection your Browser, Mobile Device, or External-Facing website, and see the protocols & ciphers being used here:

• How's My SSL
• SSL/TLS Capabilities of Your Browser
• SSL Server Test (external facing website)

For an internal server: see the next sections (below).

You can also see the specific negotiated connection protocols for the current website you are viewing:

• Chrome: Type F12 -> Click Security tab -> View the Connection details
• FireFox: Click the lock next to your URL -> Click Show Connection Details -> View the Technical Details

Use the Strongest Encryption

Password Server negotiates the strongest encryption communication supported by both the server and client. Making registry setting changes enables specific versions of TLS on a machine, for example, TLS 1.3 or TLS 1.2:

• Enable the strongest cryptography
• Enable versions of TLS

At the same time, you do not want to leave old, outdated encryption protocols or ciphers enabled. Keep reading below.

How To Disable Insecure Server Ciphers

To protect against using outdated communication protocols and ciphers, then it is advisable to disable insecure protocols on the Server machine. This will protect the communications the server has to other machines.

On older Windows Server machines some older protocols are still enabled by default and should be disabled.

 

Below are some nice methods to manage these listed by category. These are the easiest/most comprehensive:

• The easiest method is the IISCrypt 2 tool (by Nartac, for Windows Server machines only). It provides a simple visibility to manage these.
• Alternatively a comprehensive is using Windows Registry settings:
  • Microsoft: Enable & Disable TLS protocols in .NET Framework

Also note that by keeping the machine OS updated, it helps to stay on top of the right encryption protocols for your connections.

Windows Server

• IISCrypt 2 tool by Nartac
• TLS Registry Settings
• Older Microsoft reference page

 

All Windows Versions

• Manage the specific cipher algorithms your machine uses:
• Cipher Suites in TLS/SSL (Schannel SSP)

Machine Registry Settings

• Microsoft: Enable & Disable TLS protocols in .NET Framework
• TLS Registry Settings
  • PowerShell examples from the community (unvalidated)
• Older Microsoft reference page

Windows 11, 10, 8, 7:

• "To add cipher suites, use the group policy setting SSL Cipher Suite Order under Computer Configuration > Administrative Templates > Network > SSL Configuration Settings to configure a priority list for all cipher suites you want enabled."

By Group Policy

• Manage TLS - Configuring TLS Cipher Suite Order

By PowerShell

• TLS Cmdlets
  
  • PowerShell examples from the community (Note: these are scripts have not been validated by us, but are provided for your convenience)

By Internet Explorer

• Open IE > Click Settings > Internet Options > Advanced tab:
  • Select Use TLS 1.2, TLS 1.3 (experimental)
  • Unselect SSL 3.0, TLS 1.0, TLS 1.1
• Restart the machine

In IIS

• Windows Server 2019: Add to your site binding, check "Disable Legacy TLS", then click OK

Browser

• Turn Off SSL 3.0 and TLS 1.0 In Your Browser

 

Recommended Algorithms & Ciphers

Mozilla publishes an updated recommendation list:

• Security Server Side TLS

SSL Labs publishes an updated recommendation list, and are a well-known authoritative site.

• Best Practices - 2.3 Use Secure Cipher Suites

Their suggestions include: first making changes in a test environment, and ensuring that compatibility is maintained for all your required applications on the machine.

They also include a general explanation and a discussion of the theory.

Insecure Algorithms & Ciphers

• Legacy TLS (a setting from Microsoft):

  • Protocols:
    • SSL2, SSL3, TLS1.0 and TLS1.1
  • Encryption Ciphers:
    • DES, 3DES, and RC4 (so only AES should be used)
    • AES with CBC chaining mode (so only AES GCM should be used)
  • Key Exchanges:
    • RSA
    • DH key sizes < 2048
    • ECDH key size < 224

• Transport Layer Security (TLS) - Wikipedia:

  • Key Exchange and Authentication, Cipher, and Data Integrity

• Hardening Your Web Server’s SSL Ciphers (Rationale section)

 

Further Reading

A short technical explanation guide for network administrators regarding encryption/protocol can be found here:

• SSL and TLS Deployment Best Practices by SSL Labs

  • Relevant sections: Certificates, Secure Protocols, & Secure Cipher Suite

References:

• Microsoft: Solving TLS Problem
• Microsoft: Disable Legacy TLS
• Microsoft: How to determine which .NET versions are installed 
• MakeUseOf: Common Encryption Types
• FestyDuck: History of SSL/TLS
• ScottHelme: Getting an A+ on the Qualys SSL Test
• IETF: HTTP over QUIC
• IETF: TLS 1.2 Cipher Suite Black List

Troubleshooting

• Browser indicates Site URL is Insecure

  • This could indicate a problem with the certificate
  • This could indicate a problem with using older protocols on the server machine 

• Connection error: ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY

  • This error indicates that the browser has detected that your machine / the site have negotiated a protocol from the TLS 1.2 Cipher Suite Black List
  • To resolve use one of the methods above to set good ciphers / disable these ciphers