Forum Discussion

Sriram_Shanmuga's avatar
Sriram_Shanmuga
Icon for Altostratus rankAltostratus
Oct 03, 2018

How to disable weak cipher from Client SSL Profile

Hi, We have disabled few ciphers and we have rating "A" in qualys ssl checker portal. We have a requirement to disable weak ciphers as well.

 

Could some one advice how to disable weak ciphers. Please find the attachment for reference.

 

Thanks

 

 

  • By using DEFAULT:@STRENGTH command you can preferred the ciphers to use only Strength.

     

25 Replies

    • Sriram_Shanmuga's avatar
      Sriram_Shanmuga
      Icon for Altostratus rankAltostratus

      Hi Kaustubh,

       

      Thanks for your suggestions. I will update you once the changes has been made.

       

      thanks Sriram

       

    • Sriram_Shanmuga's avatar
      Sriram_Shanmuga
      Icon for Altostratus rankAltostratus

      Hi Kaustubh,

       

      I have made the changes suggested by you and i got the below output from ssl checker.

       

      Thanks for your suggestions

       

      Regards Sriram

       

    • Sriram_Shanmuga's avatar
      Sriram_Shanmuga
      Icon for Altostratus rankAltostratus

      Hi Kaustubh,

       

      After the change the TLS 1.0,1.1 was enabled.

       

      Our requirement is to have TLS 1.2 alone and rest all protocols should be disable.

       

      Please suggest a cipher for this requirement.

       

    • Sriram_Shanmuga's avatar
      Sriram_Shanmuga
      Icon for Altostratus rankAltostratus

      Hi Kaustubh,

       

      Thanks for your suggestions. I will update you once the changes has been made.

       

      thanks Sriram

       

    • Sriram_Shanmuga's avatar
      Sriram_Shanmuga
      Icon for Altostratus rankAltostratus

      Hi Kaustubh,

       

      I have made the changes suggested by you and i got the below output from ssl checker.

       

      Thanks for your suggestions

       

      Regards Sriram

       

    • Sriram_Shanmuga's avatar
      Sriram_Shanmuga
      Icon for Altostratus rankAltostratus

      Hi Kaustubh,

       

      After the change the TLS 1.0,1.1 was enabled.

       

      Our requirement is to have TLS 1.2 alone and rest all protocols should be disable.

       

      Please suggest a cipher for this requirement.

       

  • By using DEFAULT:@STRENGTH command you can preferred the ciphers to use only Strength.

     

    • Sriram_Shanmuga's avatar
      Sriram_Shanmuga
      Icon for Altostratus rankAltostratus

      Hi Lokesh,

       

      Thanks for your suggestions.

       

      After making the changes, i got the below output.

       

  • By using DEFAULT:@STRENGTH command you can preferred the ciphers to use only Strength.

     

    • Sriram_Shanmuga's avatar
      Sriram_Shanmuga
      Icon for Altostratus rankAltostratus

      Hi Lokesh,

       

      Thanks for your suggestions.

       

      After making the changes, i got the below output.

       

  • Hello.

     

    I realize this article is 3 years old, but i am facing a similar issue. From our Sec team, they want us to disable CBC Ciphers. They are showing up as weak on a Qualys SSL Scan. I have tried using "!CBC" in my cipher string, but it wont let me save that. Currently we use the following in our Cipher Strings in the SSL Profile below. Any help would be appreciated

     

    DEFAULT:!TLSv1:!TLSv1_1:!DES:!RC4:!DHE

     

     

    • Mmathew-AMS's avatar
      Mmathew-AMS
      Icon for Nimbostratus rankNimbostratus

      Hi Dhebal76, did you get to solve this problem. Pls share the Cypher string used

      • iHugoF's avatar
        iHugoF
        Icon for Nimbostratus rankNimbostratus

        This worked for me:

        ECDHE:!RSA:ECDHE_ECDSA:!SSLV3:!RC4:!EXP:!DES:!3DES:TLSV1_3:!ECDHE-RSA-AES128-CBC-SHA:!ECDHE-RSA-AES256-CBC-SHA:!ECDHE-RSA-AES256-SHA384:!ECDHE-RSA-AES128-SHA256