If you import the SSL Scanner rule set from library you have the client and server cipher lists already included that we recommend.
Example ("Default Certificate Verification"):
Is RC4 support really recommended though? The reason I ask is that our compliance group is complaining about the results from badssl.com which shows support for RC4 and DH1024.
RC4 is placed at the end of the list and the cipher list is sorted by strength (order of encryption algorithm key length).
It is more a fallback (if the server rejects ALL other before).
please don't get the default setting wrong. When thousands of users use the same default setting you will need to find a setting somewhere between security and usability. The default setting is most likely a good decision to start and can be adjusted to user needs. A save cipher list will cause a lot of errors because they are still enough sites using old and week ciphers. The result would be a high administrative effort to maintain the list of website which the users still need to access and administrator have to white-list afterwards.
Feel free to adjust your cipher suite and share your experience to the community, so we all will benefit from.
It would be nice to have McAfee's recommendation, but I think it's important to know what is being done for the more secure browsers on the Internet, such as Chrome and Firefox.
I posted the following elsewhere (as a cipher-suite spec example), but it really belongs here:
I recently did a workup of a cipher-suite spec. for our configuration. This it based on cipher-suite listing provided at: Qualys SSL Labs - Projects / User Agent Capabilities: Firefox 49 / Win 7
After tinkering with openssl cipher command, this is what I came up with:
Note that minus-sign in the spec. is a little different than the exclamation point. To get the best match, I had to use a minus on ECDH and then add ECDHE back in. You can't do that the the exclamation point.
So, I believe this excludes all CBC (Cipher block chaining) suites which now have a weakness, but it also seems to exclude all plain vanilla DH suites.
Note that there were a couple of cipher suites available in the latest Firefox and Chrome version that are not available in Web Gateway. I don't remember what they were, but it's easy enough to figure it out if anyone's interested.
Hi John! Thanks for the information. I guess in it's most basic form you would want to strike a balance between security and still being able to access the sites that are required for business.
It looks like you took the approach of finding out what your users browsers support natively and then tailoring the MWG server side ciphers to match. Is that correct?
As for McAfee's recommendation it looks like is a member of the McAfee tech support team so I'm assuming his recommendation (the default for the SSL scanner ruleset) is what they would normally recommend. Doesn't seem like its good enough for our internal compliance folks though. They're not only complaining about MWG server side supporting RC4, DH1024 and 3DES, but also mixed-script and various HTTP-input methods. Might be easier to just unplug...