Selecting a cipher suite

subornaakter20 · Post by **subornaakter20** » Sun Feb 02, 2025 7:16 am

An important step to take into account two things:

If an old browser is installed on the device and old ciphers are supposed to be used, then they must be supported by the server.

The reality is that many old ciphers are no longer considered secure.

Here the task for the user and the server is to choose the most reliable combination of the existing combinations (and supported by both parties) during the first handshake. For this purpose, OpenSSL provides a list in which the most cryptographically secure combinations come first, and the less reliable ones come towards the end of the marketing list of senior homes list.

A list of existing algorithms for all TLS components can be found on Wikipedia, with an indication of whether they are supported by different versions of SSL and TLS.

A useful reference that can be recommended for use is the Mozilla SSL Configuration Generator. It lists methods suitable for use on the server, and these are the ones used to create the actual combinations given here as examples.

Ensuring data security

Source: shutterstock.com

Selecting key types
ECC (Elliptic Curve Cryptography) certificates of the HTTPS website security protocol are considered good in terms of processing speed; in addition, compared to RSA certificates, these use less CPU (important for mobile devices). But at the moment, ECC certificates are not supported by a number of services. Among them, for example, Amazon, CloudFront, Heroku.

For ECC, a 256-bit key length is sufficient.

RSA (Rivest-Shamir-Adleman) certificates are suitable for working with a large list of old servers, but RSA is also considered slower. At least 2048-bit keys are used here. And if the certificate works with a 4096-bit key, then this does not have the best effect on performance. At the same time, they are often signed with a 2048-bit intermediary key, and this reduces the level of protection.

The above information is general and rather relative. What is beyond the capabilities of one server may be an absolutely simple task for another. To see the level of performance, it is better to check everything with your own hands, as they say, taking a real domain, real users as an example. And still, the result will not be static: everything changes very quickly on the Internet.