The setting therefore indicates that the lower limit of the current browser support protocol is SSL 3.0, and the upper limit is TLS 1.2. Now, if you change the security.tls.version.min to 3, then the browser will only support TLS 1.2. As mentioned earlier, only less than 40% of the sites currently support TLS 1.2, such as Amazon is not in the 40% column, so at this time access to https://amazon.com, you will receive "Secure Connection Failed" error message, 1 is shown.
Once you understand the SSL/TLS protocol, you can use Wireshark (or similar tools that can be used to grab network packets) to view all the cipher that the browser sends to the server by analyzing the network packet's information.
The browser initiates the handshake protocol, which is a "ClientHello" message, in which Firefox-supported cipher can be found. In Wireshark, sort by the Protocol protocol, and then find an info "Client Hello" from the TLS 1.2 protocol message. Select this, and then locate the secure Sockets layer, TLSv1.2 Record layer, handshake protocal, Cipher Suites in the Message information window below. The first cipher in the example is tls_ecdhe_ecdsa_with_aes_128_gcm_sha256, a total of 23:650) this.width=650; "Width=" "height=" 438 "alt=" View all cipher "src=" http://www.evtrust.com/faq/images/cipher_suite_3.png "/> sent to the server by the browser
If you continue to find an info for "Serverhello" message, you can find the server returned in a similar location cipher, in this case tls_ecdhe_rsa_with_aes_256_cbc650) this.width=650; " Width= "0" height= "0" alt= "server returned cipher" src= "Http://www.evtrust.com/faq/images/cipher_suite_4.png"/>_sha:
The meaning of the long string name of the key algorithm is explained later. Next, the browser waits for the server to respond to its request. Let's take a look at what's been done on the server side.
2. Server
Let's take windows as an example. To see which key algorithms are supported by the operating system, you can run Gpedit.msc and go to "Network", "Computer Configuration", "Administrative Templates" SSL Configuration Settings ", you can see the" SSL Cipher Suite Order "item on the right side of the window:
650) this.width=650; "Width=" 648 "height=" 656 "alt=" Run Gpedit.msc "src=" Http://www.evtrust.com/faq/images/cipher_ Suite_5.png "/>
Click on the entry to enter "SSL Cipher Suite Order". Here you can see the collection of cipher supported by the operating system, and the sorting of different cipher
650) this.width=650; "Width=" 648 "height=" 593 "alt=" SSL Cipher Suite Order "src=" http://www.evtrust.com/faq/images/ Cipher_suite_6.png "/>
If you need to adjust the sorting here, or remove some weak cipher, you can click on "Enabled" in the top left corner and then rewrite the list of edit cipher in options. If you prefer the command line, you can modify the key algorithm suite with the following PowerShell command:
Set-itemproperty-path Hklm:\software\policies\microsoft\cryptography\configuration\ssl\0001002-name Functions- Value "Xxx,xxx,xxx"
So what does this long string of cipher name mean? In fact, each of the cipher's names contains four parts of information, namely
Key exchange algorithm , used to determine how the client and server in the process of handshake between the authentication, the use of algorithms including RSA,DIFFIE-HELLMAN,ECDH,PSK, etc.
encryption algorithm , used to encrypt the message flow, usually with two digits, indicating the length of the key and the length of the initial vector, such as des 56/56, RC2 56/128, RC4 128/128, AES 128/128, AES 256/256
Message authentication Information code (MAC) algorithm for creating message summaries to ensure the integrity of messages (without tampering), algorithms including Md5,sha, etc.
PRF (pseudo-random number function), which is used to generate "master secret".
It seems that there is a need for an introduction to the book to fully understand the contents of the above (I am overwhelmed). However, it is helpful to understand cipher's name, such as the cipher that the previous server sent back to the client,
Tls_ecdhe_rsa_with_aes_256_cbc_sha
From its name, it is
Based on the TLS protocol;
Using Ecdhe, RSA as the key exchange algorithm;
The encryption algorithm is AES (the length of both the key and the initial vector is 256);
The MAC algorithm (here is the hashing algorithm) is SHA.
After familiar with the meaning behind the cipher name, let's look at how a Web server like IIS chooses a key algorithm. If the browser's key algorithm suite is [C1, C2, C3], and Windows Server supports a suite of [C4, C2, C1, C3], C1 and C2 are both supported by both sides of the algorithm, is IIS a priority to return C1, or C2 it? the answer is C2. IIS traverses the server's key algorithm suite, takes out the first C4, finds that the browser is not supported, and then takes a second C2, which is supported by the browser! IIS then selects the C2 algorithm and includes it in a "Serverhello" handshake protocol, which is sent back to the client. This will have the result in Figure 5.
3. Select
As a browser user, you can allow your browser to access only sites that support the TLS 1.2 protocol for better security and worse experiences. As a server maintainer, it seems that the strongest cipher are in front of the right choice. After the successful deployment of SSL certificate, easy-to-dimensional technology will help users to check the server-side encryption suite, in our security checks, is often reported that one of the problems is the server default cipher is too weak (rc4-based), please contact the technical support for repair.