Absolète encryption method


#1

Hi,

I encountrered this issue ( in french which i transtated it ot english ) within my address bar

===========================
Your connection is encrypted using an encryption method absolète.

The connection uses TLS 1.2

The connexion is encrypted using AES_256_CBC with HMAC-SHA1 to

as authentication of messages and ECDHE_RSA for key exchange method

==================

So what can i do please ?

Kind regards


#2

This issue depends on the webserver configuration. Depending on the web server you use, you should configure it so that it uses an appropriate modern cipher and protocol version.

You can see the common recommended settings here https://cipherli.st/

This issue doesn’t depend on the SSL/TLS certificate itself.


#3

And so What can i do exactly ? Where can i change the configurations

I’m a web developer and i don’t have a large knowledge in system configuration

Apache Server Version : 2.4.10
OpenSSL Version : 1.0.1k

Thanks


#4

Do you have administrative access to your Apache configuration file?


#5

A total of 16 CVEs have been fixed in OpenSSL 1.0.1 since 1.0.1k. https://www.openssl.org/news/openssl-1.0.1-notes.html
A total of 8 CVEs have been fixed in Apache 2.4 since 2.4.10. https://httpd.apache.org/security/vulnerabilities_24.html

Your cipher list may not be your only problem.


#6

yes i have administrative access to your Apache configuration file :slightly_smiling:


#7

So what’s the other problems ??


#8

Well … system updates.


#9

Then review the configuration list for apache posted at https://cipherli.st/
and apply the configurations that make sense for you.

Specifically, the first 3 lines are the lines that will help to solve the issue.

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On

You can test your SSL setup using https://www.ssllabs.com/ssltest/

A word of warning: take the time to read and document yourself on each specific configuration, do not blindly copy and paste them as they can affect your current and future setup for the site and how users will connect to your site.

Even if, for your own words, I’m a web developer and i don’t have a large knowledge in system configuration, this is not the kind of question where you can get a “copy-paste” solution.


#11

My OS is Debian so in which file can i put the above instractions ? and where is located ?


#12

Hello @ecdsa-chacha20,

This is really off topic but… keep in mind that the fact that your Linux distribution is using a specific version doesn’t mean that this version is not being patched to solve CVE vulnerabilities.

Just an example, in the link you posted to apache CVE vulnerabilities, the last CVE (mod_lua: Crash in websockets PING handling CVE-2015-0228) has been solved in official apache 2.4.16 but Debian stable (jessie) is using apache 2.4.10, but that doesn’t mean that it is vulnerable because this version is being pacthed to solve this kind of issues. Following this apache example, debian fixed it in version 2.4.10-10+deb8u4 https://security-tracker.debian.org/tracker/CVE-2015-0228

Reading your comment seems like the op should raise their arms and start to run in circles :smiley:

Anyway, it’s worth your advice to keep the system updated.

Cheers,
sahsanu


#13

See also https://mozilla.github.io/server-side-tls/ssl-config-generator/
You put in there your server type and version, openssl version and what kind of configuration you prefer (i.e.: do you need to support IE6/XP?) and the site give you a recommended configuration.
You need to modify some files under /etc/apache2/ and then reload or restart apache, but please read the documentation until you fully understand what you are doing.
For example if you enable HSTS by mistake and them disable it many people won’t be able to access your website anymore.