1

I am curious as to what causes the SSL session to choose one cipher over another. I am a total novice with this, so most answers out there already are way over my head.

Example: I need to connect to two different servers - A and B. Both appear to have certificates with the same signature Algorithm - SHA256 with RSA and both are owned by the same company.

Both return the same list of available ciphers in the Cipher Suites: 

SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_DES_CBC_SHA
SSL_DHE_RSA_WITH_DES_CBC_SHA
SSL_DHE_DSS_WITH_DES_CBC_SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
TLS_EMPTY_RENEGOTIATION_INFO_SCSV

However, connection to server A selects the first option: SSL_RSA_WITH_RC4_128_MD5.

While connection to server B selects the fourth: TLS_DHE_RSA_WITH_AES_128_CBC_SHA.

My question is what causes the connection to server B to select the fourth option that includes DHE? Is it something different on the certificates, or is there something else affecting it?

Anders
  • 65,052
  • 24
  • 180
  • 218
Ian
  • 11
  • 1
  • Have you verified that the client is sending the same TLS version and cipher list in both cases? If they differ, that would be the most likely explanation. – gowenfawr Nov 03 '17 at 12:35

2 Answers2

4

In the first step the server aligns the ciphers offered by the client with the ciphers configured for the cipher to get a set of common ciphers. From this set the server then selects a single cipher. There are various strategies possible for this selection but usually it boils down to a selection either on the cipher order given by the client or the order configured in the server.

What you see here is probably a different value of the SSLHonorCipherOrder option in Apache (and similar options in other servers). With SSLHonorCipherOrder on it will choose the cipher depending on the preference of the server and thus pick from the top of the servers list, i.e. SSL_RSA_WITH_RC4_128_MD5 in this case. With SSLHonorCipherOrder on it will instead choose the cipher depending on the clients preference and choose the better cipher TLS_DHE_RSA_WITH_AES_128_CBC_SHA.

Both appear to have certificates with the same signature Algorithm - SHA256 with RSA and both are owned by the same company.

The certificate does not have much relevance for choosing the cipher. You can only use ciphers with RSA authentication with RSA certificates and ciphers with ECDSA authentication with ECDSA certificates but apart from that there is no dependence.

Steffen Ullrich
  • 190,458
  • 29
  • 381
  • 434
2

This is up to the server. For Apache (mod_ssl) and NGinx you can override the default order preferences and acceptable suites.

For example - https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslciphersuite

The defaults will vary between versions based on what the developers view as secure / efficient.

*To expand there are two major metrics on choosing which cipher to use. Security and performance. On a low resource server providing low risk services you may choose to prefer a less secure but less CPU intensive cipher - although on modern hardware the performance hit is close to negligible.

Hector
  • 10,923
  • 3
  • 41
  • 44