AnsweredAssumed Answered

Weak ciphers listed in report that are not implemented

Question asked by Jamie Burchell on May 1, 2019
Latest reply on May 8, 2019 by Rob Moss

Hello

 

I've just discovered two weak ciphers listed on a report I just did:

 

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK 128

 

I only have these ciphers configured:

 

ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-CHACHA20-POLY1305
ECDHE-RSA-CHACHA20-POLY1305
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES256-SHA384
ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES128-SHA256

 

Which ones from my list should be removed?

 

Note that both reported "weak" ciphers appear on the SSL and TLS Deployment Best Practices page

 

Apache 2.4.6 and OpenSSL OpenSSL 1.0.2k-fips on CentOS 7.6

Outcomes