How To Force 256 Bit Encryption Using GnuTLS in Ubuntu

In my quest to have the most secure mail server on the planet I keep tinkering with my SSL settings. In my latest experiment I wanted to see if I could force 256 bit encryption. Before my experiment, in my Apache config for SSL I had the following GnuTLSPriorities set:

GnuTLSPriorities SECURE256:-VERS-SSL3.0:-VERS-TLS1.0:-ARCFOUR-128:-RSA

That was pretty good, but most browsers would revert back to 128 bit cyphers for performance. I wanted to force 256 bit for security damn it!

I decided to add a few more entries under GnuTLSPriorities that removed anything less than 256 bit ciphers. I changed my config to read:

GnuTLSPriorities Secure256:-VERS-SSL3.0:-VERS-TLS1.0:-ARCFOUR-128:-RSA:-AES-128-CBC:-CAMELLIA-128-CBC:-3DES-CBC

What that does is restricts everything to TLS 1.1 or TLS 1.2 and only uses the following ciphers:

TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

Of course not all browsers will support this configuration, but since I'm the only one using my mail server, I don't care. It is something for you to think about though.

Related articles

• The End-of-Life of Windows XP and SSL/TLS Configurations
• Strong SSL/TLS Cryptography in Apache and Nginx
• Apple vulnerability points to importance of secure password measures
• How To Upgrade From SSL to GnuTLS for Apache in Ubuntu