AES_256_CBC is obsolete

alf2006x · July 20, 2021, 11:05am

My domain is: arfa.travel

I use simple Lets Encrypt certificate. But my website shows me in the cert properties some problem.
Here it is:

Connection - obsolete connection settings
The connection to this site is encrypted and authenticated using TLS 1.2, ECDHE_RSA with P-256, and AES_256_CBC with HMAC-SHA1.

AES_256_CBC is obsolete. Enable an AES-GCM-based cipher suite.

I am not sure that this is certificate problem.
Hope anybody can tell me how to fix this.

Thanx.

PS
resource: https://community.letsencrypt.org/new
uses lets encrypt cert. But it have no any same problem.

petercooperjr · July 20, 2021, 11:13am

You want to configure the cipher suites in your web server to not use obsolete/less-secure protocols.

Some useful resources:

Mozilla's SSL Configuration Generator showing how to configure many types of servers to use their current recommendations
Qualys SSL Server Test

rg305 · July 20, 2021, 12:49pm

What version of certbot are you using?

Osiris · July 20, 2021, 5:10pm

Or more generic: how did you get and how did you install your certificate?

webprofusion · July 21, 2021, 5:55am

Hi,

It looks like you are using IIS, to configure the set of SSL/TLS cipher suites your servers will support requires settings several registry keys. The easiest way to do this is using the IIS Crypt tool: Nartac Software - IIS Crypto -

Select Best Practices to begin with, then unselect any cipher suites you specifically want to remove, apply and restart the server. There is also a 'Strict' template you can apply but you should proceed with caution as deselecting the wrong cipher can disable your ability to use RDP etc depending on your OS version.

system · August 20, 2021, 5:56am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.