AES_256_CBC is obsolete

My domain is: arfa.travel

I use simple Lets Encrypt certificate. But my website shows me in the cert properties some problem.
Here it is:

Connection - obsolete connection settings
The connection to this site is encrypted and authenticated using TLS 1.2, ECDHE_RSA with P-256, and AES_256_CBC with HMAC-SHA1.

  • AES_256_CBC is obsolete. Enable an AES-GCM-based cipher suite.

I am not sure that this is certificate problem.
Hope anybody can tell me how to fix this.

Thanx.

PS
resource: https://community.letsencrypt.org/new
uses lets encrypt cert. But it have no any same problem.

2 Likes

You want to configure the cipher suites in your web server to not use obsolete/less-secure protocols.

Some useful resources:

3 Likes

What version of certbot are you using?

2 Likes

Or more generic: how did you get and how did you install your certificate?

3 Likes

Hi,

It looks like you are using IIS, to configure the set of SSL/TLS cipher suites your servers will support requires settings several registry keys. The easiest way to do this is using the IIS Crypt tool: Nartac Software - IIS Crypto -

Select Best Practices to begin with, then unselect any cipher suites you specifically want to remove, apply and restart the server. There is also a 'Strict' template you can apply but you should proceed with caution as deselecting the wrong cipher can disable your ability to use RDP etc depending on your OS version.

3 Likes