How to remove some ciphers

winanjaya · April 24, 2018, 10:14am

Hello

how to remove the following ciphers:

TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA

_az · April 24, 2018, 10:17am

You configure your web server with the relevant configuration parameters.

https://mozilla.github.io/server-side-tls/ssl-config-generator/ may help you.

It’s not a characteristic of your certificates, but an independent web server setting.

Osiris · April 24, 2018, 11:16am

But sometimes certbot installs extra SSL configuration parameters

winanjaya · April 24, 2018, 11:38am

I have followed it … but https://www.ssllabs.com/ssltest/ found some weak ciphers…

please help

winanjaya · April 24, 2018, 11:39am

SSLProtocol all -SSLv2 -SSLv3 -TLSv1
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS

SSLHonorCipherOrder on
SSLOptions +StrictRequire

Add vhost name to log entries:

LogFormat “%h %l %u %t “%r” %>s %b “%{Referer}i” “%{User-agent}i”” vhost_combined
LogFormat “%v %h %l %u %t “%r” %>s %b” vhost_common

_az · April 24, 2018, 11:40am

Which settings did you use on the website? What is your domain?

winanjaya · April 24, 2018, 11:42am

i use /etc/letsencrypt/options-ssl-apache.conf

mail.mtwi.co.id

_az · April 24, 2018, 11:46am

SSL Server Test: mail.mtwi.co.id (Powered by Qualys SSL Labs) - looks OK to me.

If you want to get rid of the "weak ciphers" as reported by ssllabs (you don't really need to), then you would use the "Modern" option on the SSL Config Generator website. However, this is compatible with a smaller number of browsers and devices.

winanjaya · April 24, 2018, 11:51am

but https://www.htbridge.com/ssl/?id=aCXkUPHG result for mail.mtwi.co.id:587

there are some “Non-compliant with PCI DSS requirements”

_az · April 24, 2018, 11:54am

You can get rid of that ciphersuite on your mail server as required. If you are running e.g. Postfix, you can use the tls_high_cipherlist configuration option.

This document provides some guidance for specific mail servers: https://bettercrypto.org/static/applied-crypto-hardening.pdf

winanjaya · April 24, 2018, 12:20pm

thanks a lot!..
I got A now
tomorrow will continue with Dovecot … for IMAPS, POP3S
please share if you had the doc

cheers!

rg305 · April 24, 2018, 9:07pm

The short answer is:
add
:!camellia
to the SSLCipherSuite.
But those 4 are also SHA1, which you might want to also disable.
If so,
add
:!SHA1
to the SSLCipherSuite.

system · May 24, 2018, 9:07pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.