SSL/TLS Cipher Priority

pci-dss ssl tls fips-140-2

I am working on trying to make sense of what is required for both PCI DSS compliance as well as FIPS compliance in relation to SSL/TLS cipher suites. I have been reading the guide here and here. However, I have not been able to find anything that states what order or priority I should list the ciphers in. I can see which ones I need to use and disable, but I assume that there is a priority that should be followed for them as well. This is primarily for Windows servers and then later I would look at performing the same to Linux servers running Apache.


It depends on the version of Windows/IIS. In 2003 (IIS 6) and earlier, this can't be done. You can only enable/disable ciphers. In Windows 2008 (IIS 7) and later, you can do this through a GPO (if you're domain joined, and I'm guessing this server isn't if it's PCI compliant).

More info here: http://technet.microsoft.com/en-us/library/cc766285(v=ws.10).aspx


Why would you assume that there's a priority needed?

No compliance standard that I've ever heard of has recommended a specific priority; after all, if a cipher's insecure, it should be turned off instead of just de-prioritized.

That said, preferring RC4 over CBC-constructed ciphers might be wise until TLS 1.1 is widely deployed; see CVE-2011-3389.

Related

Saving website level rewrite rules to applicationHost.config
Graylog2: Can a custom GELF field accept a JSON object
How long is the "defined grace period" for the idle scheduling class of the CFQ io scheduler?
Using puppet to distribute Apache SSL certificates
How do I get ssh to run in the background without using -f?
Windows Server 2008 BitLocker
Active Directory max photo size
PERC 6/i | ext4 | raid5 | 4 disks - improve write performance
FreeRADIUS2 and LDAP Authentication
Safely install MDM Certificate in MDM Server
RDP Data encryption error for Windows 7 Clients
Why won't Windows XP firewall use domain settings on boot?