Update 2019-09-06:
Due to the latest vulnerabilities, this seems to be the best right now:
EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:DHE+AESGCM:DH+AESGCM:ECDHE+ECDSA:EECDH:DHE:DH:aRSA+AESGCM:HIGH:MEDIUM:!NULL:!aNULL:!3DES:!SEED:!DSS:!RSA+CAMELLIA
Hello!
In the latest Cisco WSA Release Notes for AsyncOS 11.5.1 is a recommendation for cipher suites.
Can anyone explain to me why Cisco would recommend the following:
EECDH:DSS:RSA:!NULL:!eNULL:!EXPORT:!3DES:!RC4:!RC2:!DES:!SEED:!CAMELLIA:!SRP:!IDEA:!ECDHE-ECDSA-AES256-SHA:!ECDHE-RSA-AES256-SHA:!DHE-DSS-AES256-SHA:!AES256-SHA:DHE-RSA-AES128-SHA
I would rather recommend the following for best performance, compatibility and security:
ECDHE+ECDSA:EECDH:DHE:HIGH:MEDIUM:!NULL:!eNULL:!aNULL:!3DES:!SEED:!DSS:!RSA+CAMELLIA