The End-of-Life of Windows XP and SSL/TLS Configurations

This is a followup to my previous post, Strong SSL/TLS Cryptography in Apache and Nginx.

Perhaps hard to tell given how many users remain, but Windows XP reached its end of life on 8 April 2014. This means no more support, updates, or bug fixes—not even of critical security flaws. Windows XP use has been dwindling, but its end-of-life provides an excellent opportunity to consider removing support for it from your applications and websites.

Dropping Windows XP support provides particularly interesting results for SSL/TLS configurations, as most of the compromises one makes in their provided cipher suites are in support of old versions of Internet Explorer on Windows XP. Since those users are now even more of a walking botnet and malware infestation, we needn't continue to support them to the detriment of the rest of the Internet.

And what changes can we make? In my previous cryptography guide, I advocate disabling SSLv3 support, which breaks Internet Explorer 6 on Windows XP, but prevents a downgrade attack for everyone else. If we're willing to drop support for all versions of Internet Explorer on Windows XP, we can accomplish two other goals:

  • Only support Perfect Forward Secrecy, offering no cipher suites without forward security.
  • Only support modern ciphers. Currently this just means AES (in both CBC and GCM mode) but in the future will include ChaCha20+Poly1305.

To make these changes, follow my previous guide but use this cipher suite ordering for Apache:

SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!3DES:!DES:!MD5:!PSK:!RC4:!RSA

SSLHonorCipherOrder on

And this cipher suite ordering for Nginx:

ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!3DES:!DES:!MD5:!PSK:!RC4:!RSA';

ssl_prefer_server_ciphers on;

With the current version of OpenSSL, this yields the following ciphers, in descending order of preference:

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b)
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67)
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)

This is a small, focused list, with absolutely no compromises for security, obeying the following rules:

  • Only support PFS. We favor ECDHE over DHE as the former is less resource intensive, but we support both.
  • Only support modern ciphers, which currently is just AES-CBC and AES-GCM. We favor GCM mode over CBC mode as the former is more efficient and not susceptible to the BEAST attack.
  • Favor 256-bit key size over 128 but support nothing smaller.
  • Support SHA-2 and SHA, nothing else. Prefer SHA-2 over SHA. For SHA-2, prefer 384-bit digests over 256-bit.

With this cipher suite ordering, Chrome and Firefox will both use TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256—a mighty fine choice—but even your least-favored cipher, TLS_DHE_RSA_WITH_AES_128_CBC_SHA provides forward security and a strong cipher.

For all your hard effort, this will earn you an "A+" grade and near-perfect SSL Labs Rating:

SSL Labs A+ Grade for rlove.org

As before, you cannot do better without silly compromises, such as only supporting TLS 1.2, which would earn you a 100 in "Protocol Support," but then only Chrome and Firefox 27 could access your site.


Which likely just means the addition of IE 7 and 8.

Indeed, I'm not thrilled to recommend only one cipher. Even if AES were perfect, we ought to have choice. I believe ChaCha20+Poly1305 is an excellent alternative. It is currently supported by Chrome but is not yet in OpenSSL. Once in the latter I will update my recommendations.