CipherSuiteList and ULC

[kilianvp]

Im trying to increase the security for WinCC OA and found the config entries CipherSuiteList and ECDHCurve

the default ECDHCurve prime256v1 is insecure!

you should use at least secp384r1 as default ECDHCurve!

I tried to change the CipherSuiteList to something modern using:

https://mozilla.github.io/server-side-t ... generator/
https://testssl.sh/openssl-rfc.mapping.html

Code: Select all

CipherSuiteList = "ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-CHACHA20-POLY1305,ECDHE-RSA-CHACHA20-POLY1305,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256-SHA384,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256"

which wont work at all

than i tried:

Code: Select all

CipherSuiteList = "ECDHE-ECDSA-CHACHA20-POLY1305,ECDHE-RSA-CHACHA20-POLY1305,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,DHE-RSA-AES128-GCM-SHA256,DHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256,ECDHE-ECDSA-AES128-SHA,ECDHE-RSA-AES256-SHA384,ECDHE-RSA-AES128-SHA,ECDHE-ECDSA-AES256-SHA384,ECDHE-ECDSA-AES256-SHA,ECDHE-RSA-AES256-SHA,DHE-RSA-AES128-SHA256,DHE-RSA-AES128-SHA,DHE-RSA-AES256-SHA256,DHE-RSA-AES256-SHA,ECDHE-ECDSA-DES-CBC3-SHA,ECDHE-RSA-DES-CBC3-SHA,EDH-RSA-DES-CBC3-SHA,AES128-GCM-SHA256,AES256-GCM-SHA384,AES128-SHA256,AES256-SHA256,AES128-SHA,AES256-SHA,DES-CBC3-SHA"

and Google Chrome used:

The connection to this site uses TLS 1.2 (a strong protocol), RSA (an obsolete key exchange), and AES_128_GCM (a strong cipher).


even the example from the WinCC OA help:

Code: Select all

cipherSuiteList = "DHE-RSA-AES256-SHA256,DHE-RSA-AES256-GCM-SHA384"

doesnt work

[kilianvp]

Ok i got some feedback from ETM:

CipherSuiteList is a option to restrict allowed Ciphers