Hi folks, I've been off the list for a bit, getting ducks in a row here and everything. I noticed a number of posts about SSL & TLS security settings lately and I wanted to point out that maintaining your SSL configurations is an on-going processes. New exploits are discovered and released quite often, and often the fault lies with a cipher and not necessarily an overall SSL/TLS protocol. So using a cipher list like "all except RC4" is probably not sufficient anymore. And what is secure may depend completely on the SSL/TLS software you use, be it OpenSSL or Java's built in SSL libraries. For example, with OpenSSL, you should be using 1.0.1t or higher, and even then only TLS1.2 with a handful of ciphers. I'm not sure what the recommended options for java's libraries are at the moment. A really good, free tool is Qualys' SSL Labs server test tool located at: https://www.ssllabs.com/ssltest/ Run that against your implementation and follow its recommendations.
Of course, at the end of the day, it will be up to you and your firm to decide what risks you are willing to take with your SSL communications and whether or not you need to support insecure browsers, i.e. browsers that cannot negotiate up to the most secure protocol and ciphers. Jeffrey Janner p.s. Qualys also has a test suite for the browsers that you use.
