Forum Discussion

Brad_Parker's avatar
Brad_Parker
Icon for Cirrus rankCirrus

This will disable 3DES and prioritize PFS and GCM. 

'!EXPORT:!DH:!MD5:!SSLv3:!DTLSv1:ECDHE+AES-GCM:ECDHE+AES:ECDHE+3DES:ECDHE+RSA:RSA+AES-GCM:RSA+AES'
. Looks like you are wanting to also disable TLSv1? If that's the case add !TLSv1, i.e. 
'!EXPORT:!DH:!MD5:!SSLv3:!TLSv1:!DTLSv1:ECDHE+AES-GCM:ECDHE+AES:ECDHE+3DES:ECDHE+RSA:RSA+AES-GCM:RSA+AES'
Last thing, if you still want to support IE on XP 3DES is the only "secure" supported cipher left.

Brad_Parker's avatar
Brad_Parker
Icon for Cirrus rankCirrus
Sep 25, 2015
tmm --clientciphers '!EXPORT:!DH:!MD5:!SSLv3:!TLSv1:!DTLSv1:ECDHE+AES-GCM:ECDHE+AES:ECDHE+3DES:ECDHE+RSA:RSA+AES-GCM:RSA+AES' produces these ciphers and order. ID SUITE BITS PROT METHOD CIPHER MAC KEYX 0: 49200 ECDHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDHE_RSA 1: 49199 ECDHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_RSA 2: 49192 ECDHE-RSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDHE_RSA 3: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.1 Native AES SHA ECDHE_RSA 4: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.2 Native AES SHA ECDHE_RSA 5: 49191 ECDHE-RSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 ECDHE_RSA 6: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.1 Native AES SHA ECDHE_RSA 7: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.2 Native AES SHA ECDHE_RSA 8: 49170 ECDHE-RSA-DES-CBC3-SHA 168 TLS1.1 Native DES SHA ECDHE_RSA 9: 49170 ECDHE-RSA-DES-CBC3-SHA 168 TLS1.2 Native DES SHA ECDHE_RSA 10: 157 AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 RSA 11: 156 AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 RSA 12: 61 AES256-SHA256 256 TLS1.2 Native AES SHA256 RSA 13: 53 AES256-SHA 256 TLS1.1 Native AES SHA RSA 14: 53 AES256-SHA 256 TLS1.2 Native AES SHA RSA 15: 60 AES128-SHA256 128 TLS1.2 Native AES SHA256 RSA 16: 47 AES128-SHA 128 TLS1.1 Native AES SHA RSA 17: 47 AES128-SHA 128 TLS1.2 Native AES SHA RSA