IMPLEMENTED SSL/TLS STANDARDS
- TLS Protocol Version 1.0 (RFC 2246) (ST 2.1 and up)
- TLS Protocol Version 1.1 (RFC 4346) (ST 2.2 and up)
- TLS Protocol Version 1.2 (RFC 5246) (ST 2.3 and up)
- AES Cipher Suites (RFC 3268)
- ECC Cipher Suites (RFC 4492)
- Secure Renegotiation (RFC 5746)
- Encrypt-then-MAC (RFC 7366)
OTHER SSL/TLS SECURITY FEATURES
- TRUE 128/192/256 bit encryption Many implements put a cap on security by only allowing public keys up to a limitied size. If the public keys are only 2048, you will get at most 112 bit security. StreamSec Tools 2.x supports RSA, DH and DHE keys of any size. The server will use the RFC 3526 MODP groups of at least 2048 bits, configurable up to 8192 bits. If 256 bit encryption is required, use ECDSA_ECDHE with the prime521 curve.
- RSA, RSA_DHE, DSS_DHE, DH, RSA_ECDHE, ECDSA_ECDH and ECDH key exchange algorithms.
- Support for RSA, DSS, DH, ECDSA, ECDH certificates with keys of any size and with both SHA-1 and SHA-2 signature digest algorithms.
- Automatic certificate chaining using independent trust lists and with an OS indpendent implementation.
- All cipher suites that provide server authentication are also compatible with client certificate authentication. Optionally, the server might be configured to let the clients send their client certificates encrypted, in which case a second handshake is initiated immediately after the first, before any application data is sent.
- Resumed sessions MUST use the same cipher suite as the original connections.
- Client initiated renegotiation is only allowed when client certificate authentication is in use. Clients are not allowed to change client certificate when renegotiating. This prevents both some DoS attacks and some MITM attacks.
- Server side support for TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks.
- Clients and servers support application specific AES-CTR, TwoFish-CTR and BlowFish-CTR cipher suites, which are immune against BEAST and similar attacks.