Modifying the SSL Cipher for Web Servers

A cipher suite is collection of cryptographic algorithms that are needed to secure a network connection through SSL. The cipher string indicates the collection of cipher suites that your web server uses. By default, the web server for each campaign uses the following cipher string:

1
EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4

The default cipher string provides reasonable security, is accepted by modern browsers, but also works with IE 8 and Windows XP. The string provides the best possible encryption for all browsers and SSL clients. It disables any ciphers (!aNULL) that do not require authentication and the following ciphers: RC4, PSK, MD5, and DES.

To strengthen the SSL configuration for your web server even further, you can modify the default cipher string that is provided. For example, you may want to disable a particular cipher. You can disable a cipher by prepending it with an exclamation point and separating each cipher with a colon. For example, to disable DSS, you can append :!DSS to the cipher string.

To modify the SSL cipher string:

  1. From within a project, select Campaigns.
  2. When the Campaigns page appears, go to the Configure a Campaign tab to create a new campaign or go to the Manage Campaigns tab to choose an existing campaign.
  3. From the campaign configuration form, click the Web Server icon.
  1. When the web server configuration window appears, find the SSL cipher specification option.
  1. Replace the default cipher string with the one you want to use.

If you leave the field blank, the server will use the following cipher, which does not include SSLv2 or export grade ciphers (e.g., 40 bit), but includes RC4 and low security ciphers:

1
ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
  1. Save your changes when you are done.