Forum Discussion

aquispe17_31055's avatar
aquispe17_31055
Icon for Nimbostratus rankNimbostratus
May 21, 2018

SSL Ciphers (SSLLabs) Warning

Hi everyoe, I ran a test SSL over an web application and received various warnings about weak cipher. How can i close this ciphers protocols?

 

TLS1.2:

 

TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) WEAK TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) WEAK TLS_RSA_WITH_AES_256_CBC_SHA (0x35) WEAK TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x88) DH 1024 bits FS WEAK TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84) WEAK

 

TLS 1.1

 

TLS_RSA_WITH_AES_256_CBC_SHA (0x35) WEAK TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x88) DH 1024 bits FS WEAK TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84) WEAK

 

  • Disable below cipher in-order to eliminate weak cipher list. I have tested in LAB and all weak cipher gone. Suggest you to test in LAB environment and share feedback. Most important thing, don't play with default client-ssl profile.

    Disable below ciphers to eliminate weak TLS cipher.

    TLS1.2

        AES256-GCM-SHA384
        AES256-SHA256
        AES256-SHA
        DHE-RSA-CAMELLIA256-SHA
        CAMELLIA256-SHA
    

    TLS 1.1

        AES256-SHA
        DHE-RSA-CAMELLIA256-SHA
        CAMELLIA256-SHA
    

    Share your feedback.

  • Disable below cipher in-order to eliminate weak cipher list. I have tested in LAB and all weak cipher gone. Suggest you to test in LAB environment and share feedback. Most important thing, don't play with default client-ssl profile.

    Disable below ciphers to eliminate weak TLS cipher.

    TLS1.2

        AES256-GCM-SHA384
        AES256-SHA256
        AES256-SHA
        DHE-RSA-CAMELLIA256-SHA
        CAMELLIA256-SHA
    

    TLS 1.1

        AES256-SHA
        DHE-RSA-CAMELLIA256-SHA
        CAMELLIA256-SHA
    

    Share your feedback.

    • Samir_Jha_52506's avatar
      Samir_Jha_52506
      Icon for Noctilucent rankNoctilucent

      !
      use in beginning to disable cipher. See the below example

      example

       DEFAULT:!AES256-SHA:!DHE-RSA-CAMELLIA256-SHA:!CAMELLIA256-SHA
      
    • Snl's avatar
      Snl
      Icon for Cirrostratus rankCirrostratus

      sample is below

       

      !SSLv2:!EXPORT:!DHE+AES-GCM:!DHE+AES:!DHE+3DES:ECDHE+AES-GCM:ECDHE+AES:RSA+AES-GCM:RSA+AES:ECDHE+3DES:RSA+3DES:-MD5:-SSLv3:-RC4