Please keep in mind this is valid as of the end of March 2020. The weaker ciphers were removed via a new configuration set by my web host. I did not get to learn how to fish, so-to-speak. The problem with cryptography is that it’s hard for someone outside of the field to know how to compare the strengths of the various algorithms and key sizes, or which protocols or algorithms are known to have weaknesses. But it’s a deep field you’ll end up needing to understand the different families and types of cryptographic algorithms, key sizes, protocols, weaknesses, attacks, public key infrastructure, TLS, and network security. Once you have solved your immediate problem and have your services configured securely based on the recommendations of experts in the field, you can consider spending more time digging deeper into this topic.
Sites like Mozilla’s SSL Configuration Generator are a great way to obtain a clear list of ciphers that best meet your security needs. Method 1įor now, you probably would be best and most quickly served by relying on others who have studied cryptography and network security, and who offer their recommendations freely as a service. We have many solutions to this problem, But we recommend you to use the first method because it is tested & true method that will 100% work for you. I know you bored from this bug, So we are here to help you! Take a deep breath and look at the explanation of your problem. It would also be incredibly useful to know how to have the server define a preferred cipher and to know which is considered the strongest if possible please. A good reference URL with such a table (and where on the page if it’s more than just a few paragraphs) would be very helpful.
Just enough that I can detect the pattern of how the test references the same ciphers as Apache (or whichever software directly handles all of this). Learning is the detection of patterns so I’m really looking for an answer with a table where column A lists the ciphers from the SSL Labs test and column B references how they are referenced (to be defined (for stronger ciphers) and disabled for weaker ciphers). In that example how do I remove something not defined? Secondly it suggests removing CBC though that is not defined in the first list. The list says to remove two ECDHE and the rest don’t have ECDHE. Here is my attempt to make the lists look more similar to each other: I made numerous other search queries and spent hours reading through documentation, standards and forums without luck. I attempted to reference the TLS 1.2 standard as well as some documentation from OpenSSL. I attempted to "translate" though after updating the values in both sections and running cPanel’s AutoSSL I still got the same results on the test.
The test lists the following ciphers as being weak: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH x25519 (eq. I have everything except TLS 1.2 and TLS 1.3 disabled and many less secure ciphers disabled. The Exim Configuration Manager currently has a field " SSL/TLS Cipher Suite List" which is set to ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256.The Apache Configuration has a field " SSL/TLS Protocols" which is currently defined as ALL:!ADH:!AECDH:!EDH:!RC4:+HIGH:+MEDIUM:-LOW:-EXP.WHM Cipher DefinitionsĬiphers seem to be listed in two places: Exim Configuration Manager and Apache Configuration ⇨ Exim Configuration Manager. The trouble seems to stem from the fact that there is little-to-no consistency in how ciphers are referenced or even where they are defined. I have previously removed less secure ciphers from WHM (Web Host Manager) however it has been a while and I want to learn how to fish, not be handed a fish. All we need is an easy explanation of the problem, so here it is.