xf.is Blog   Archives  About

ssl_prefer_server_ciphers on is not needed

2018-06-25

When I configured the webserver for this blog I intentionally set

ssl_prefer_server_ciphers off

Why? Because I don’t know what cipher is the fastest/most secure on the client side.

This blog only has TLS 1.2 enabled and the following ciphers (with ECDHE key exchange):

Of these ciphers only AES128-SHA256 and AES256-SHA384 are not AEAD. However many older browsers/devices only implement the CBC variant of AES in ECDHE mode (and not CCM/GCM or CHACHA20) so it is needed as a fallback.

If only strong ciphers are defined (and TLS version and key exchange) there is no need to specify ssl_prefer_server_ciphers on.

For example if AES256-GCM-SHA384 is the preferred cipher server side the client will use it instead of potentially faster CHACHA20-POLY1305 (on slower devices or devices without AES-NI).

In practice only following ciphers are used:

Browser vendors have much better overview what cipher is fastest on the device the browser is running on so don’t force potentially slower cipher by specifying ssl_prefer_server_ciphers on.