The intent of this repository is to provide working configuration settings that can be used to implement SSL and TLS with various levels of compatibility and security.
If the information and settings in this repository are correct then Ivan Ristic's blog and book Bulletproof SSL and TLS or Adam Langley's blog are likely to thank.
If anything in this repository is incorrect then it is definitely my fault. Corrections and suggestions are greatly appreciated via GitHub or Twitter at @TomSellers
Note: The filenames contain information about platform and compatiblity. You may need to change to the Github file listing view to easily see the full filename.
- Android supports TLS 1.0 since 2.3
- Windows XP does not support AES cipher suites
- Windows Server 2003 does not support AES natively, but support was added in KB948963
- Windows Server 2003 and XP with IE 6 support TLS 1.0 after a configuration change.
- Windows Server 2003 and XP with IE 8 support TLS 1.0 by default.
- Settings provided in this repository impact how the Windows operating sytem handles SSL and TLS. This affects all applications that do not use their own libraries for SSL and TLS.
- 'Max Compability' indicates TLS protocol support for SSL 3.0 and TLS 1.0, 1.1, 1.2
- 'High Security' indicates cipher suite settings that break Internet Explorer 6 era code by removal of RC4 and 3DES.
-
Select a Cipher_Suites file matching your desired level of compatibility and security. Cipher suite selection dictate:
-
Key agreement/key exchange protocols such as RSA, DSA, DH, ECHE, ECDHE
-
Symetric encryption algorithms such as AES, RC4, 3DES
-
Message authentication algorithms such as MD5, SHA1, SHA256, SHA384
-
Select an SChannel_config matching your level level of compatibility and security. SChannel settings dictate:
-
SSL / TLS protocols supported such as SSL 2.0, 3.0, and TLS 1.0, 1.1, 1.2
-
Enabling or disabling certain ciphers entirely such as NULL, DES, RC2, RC4
-
Download these to your server.
-
Review all the settings and make sure you understand them! ** NO WARRANTY **
-
Double click to install each, review and accept each warning message.
-
Restart the server.
-
Test with the Qualys' SSL Labs site - https://www.ssllabs.com/ssltest/analyze.html
-
Test with representative clients.