Can Lets Encrypt Offer an option to not use deprecated crypt cipher suites


#1

Any chance Lets Encrypt could allow for the creation and use of a cert that does not support: SSL 2, 3, TLS 1.0 and 1.1?

Additionally, can we also look at stripping out " TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA ( 0xc008 ) ECDH sect571r1 (eq. 15360 bits RSA) FS "?

I understand the need for backward compatibility, but some service do not want to enable the clients to use out of date tech, and it leaves us open to security issues.

thoughts?

thank you for your time ,and consideration.


#2

The use of protocols and cipher suites is controlled exclusively by your web (or other) server configuration, not by your certificate.


#3

Hi @mey, thanks for the question!

Like @danb35 mentioned (thanks!) both the protocol versions and the supported ciphersuites are not properties linked to the certificate.

That said, an ACME client that more directly manages webserver configuration beyond just issuing Certificates could certainly support a feature that would customize the protocol/ciphersuites to limit insecure choices.

As one concrete example, Certbot does this today for Apache/nginx using Mozilla’s “intermediate” server-side TLS recommendations. In the past suggestions to deviate from these settings were recommended to be directed to Mozilla so that the broader Internet community could benefit from the suggestions.

Hope that helps!


#4

Hello,

Granted these can be managed through the conf of the webserver but it would not be needed if the protocol suits were not “compiled” into the underlying certs. This would be helpful, in my mind for people that do not have control over the underlying server, plus it would be handy for organizations and security divisions to simply procure these on behalf of their respective enterprises.

Anyhow, thanks for the input. Much appreciated.


#5

Protocol suites are not compiled into, or in any other way controlled by, the certificate. This is purely a matter of server configuration.


#6

Interesting, that is not my understanding. More research is clearly required, thanks.

M


#7

Hey Folks,

Thanks for the direction on this. I was under a misunderstanding of how things are. A link provided below offers a fairly decent explanation of where Iw as mistaken. Kind regards,

Matt


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.