Security for SSL/TLS connections

Encrypted connections are indispensable today when non-public data is to be transported via the Internet. In view of the activities of secret services and criminals, the highest possible level of security should be aimed for. The upcoming version 5.7.07 offers new options to increase the security of SSL/TLS.


Currently, conzept 16 uses SSL/TLS encryption optionally for the functions SckConnect, MailOpen (active connection setup) and in the SOCKET mode of the SOA service (passive connection setup). As of version 5.7.07, key exchange with Diffie-Hellman and Elliptic Curves methods are supported; the SSL 2.0 protocol is no longer used due to its security shortcomings.

For the functions SckConnect and MailOpen, the security level can be defined by a minimum requirement; in principle, a low level also contains all procedures of the higher levels. A level therefore defines the respective minimum level of security. Four different levels are available:

Maximal_SckTlsMax

Only a few SSL clients and servers currently support the maximum security level. Only the TLS 1.2 protocol version is used, forward secrecy is mandatory, so key exchange is only possible with Diffie-Hellman, optionally with Elliptic Curves. Only 256-bit encryption is used. When exchanging keys with Diffie-Hellman, the DH lengths 512, 1024, 2048 and 4096 bits are supported in client mode. A DH length of 2048 bits is used for the SOA service. The following cipher settings are defined:

Protocols: TLS 1.2
Key exchange: ECDHE, DHE
Authentication: RSA
Encryption: AES-256, CAMELLIA-256
Verification: AEAD, SHA-2, SHA-1

High_SckTlsHigh

To increase compatibility, this level also allows the older TLS 1.0 and 1.1 protocols as well as key exchange with RSA. There is no forward secrecy for RSA key exchange. Encryption takes place with 256 or 128 bits, whereby 128 bits can currently still be regarded as secure. The following cipher settings are defined:

Protocols: TLS 1.2, TLS 1.1, TLS 1.0
Key exchange: ECDHE, DHE, RSA
Authentication: RSA
Encryption: AES-256, CAMELLIA-256, AES-128, CAMELLIA-128
Verification: AEAD, SHA-2, SHA-1

Medium_SckTlsMed

In addition to the methods supported by _SckTlsHigh, the now obsolete SSL 3.0 protocol and encryption with RC4 and 3DES are also permitted for compatibility with older versions (e.g. Windows XP with IE6). Both RC4 and 3DES are vulnerable and therefore no longer offer 100% protection. The following cipher settings are defined:

Protocols: TLS 1.2, TLS 1.1, TLS 1.0, SSL 3.0
Key exchange: ECDHE, DHE, RSA
Authentication: RSA, ECDSA
Encryption: AES-256, CAMELLIA-256, AES-128, CAMELLIA-128, RC4, 3DES, SEED
Verification: AEAD, SHA-2, SHA-1

Low_SckTlsLow

This security level should only be used in exceptional cases where it is otherwise not possible to establish a connection with outdated servers. Due to the insecure procedures and weak encryption of SSL 2.0 that are also permitted here, the security of the transmitted data may be compromised. Therefore, this level cannot be used with the SOA service. The following cipher settings are defined:

Protocols: TLS 1.2, TLS 1.1, TLS 1.0, SSL 3.0
Key exchange: ECDHE, DHE, RSA, ECDH, DH
Authentication: RSA, ECDSA, DSS
Encryption: AES-256, CAMELLIA-256, AES-128, CAMELLIA-128, RC4, 3DES, SEED, DES, RC2, IDEA
Verification: AEAD, SHA-2, SHA-1, MD5

The previously used constants _SckSSLv2, _SckSSLv3 and _SckTLSv1 are no longer required. If one of these constants is specified, the medium security level is used.

SOA-Service

In the configuration file of the SOA service, the security level can be set to the values “med”, “high” or “max” using the parameter “tls_security_level”. The default setting is the middle level (“med”). The RSA key of the certificate used should be at least 2048 bits long; RSA keys with 1024 bits are no longer considered secure.

Update – 27.05.2015

List of supported cipher suites updated.

Download

Liste der unterstützen Cipher-Suites cipher_suites.txt (11.95 KB)
Sie müssen angemeldet sein, um die Datei herunterladen zu können.

Leave a Reply

Your email address will not be published. Required fields are marked *

Leave the field below empty!

Get your Trial Version now!

Test yeet free of charge

Deine Trial Version - jetzt anfordern!

Teste yeet - unverbindlich und kostenfrei

IHRE EVALUIERUNGSLIZENZ - JETZT ANFORDERN!

TESTEN SIE DIE CONZEPT 16 VOLLVERSION - UNVERBINDLICH und KOSTENFREI

Subscribe to our newsletter

[cleverreach_signup]
WordPress Cookie Notice by Real Cookie Banner