How to remove some ciphers


how to remove the following ciphers:


You configure your web server with the relevant configuration parameters. may help you.

It’s not a characteristic of your certificates, but an independent web server setting.

But sometimes certbot installs extra SSL configuration parameters :wink:

I have followed it … but found some weak ciphers…

please help

SSLProtocol all -SSLv2 -SSLv3 -TLSv1

SSLHonorCipherOrder on
SSLOptions +StrictRequire

Add vhost name to log entries:

LogFormat “%h %l %u %t “%r” %>s %b “%{Referer}i” “%{User-agent}i”” vhost_combined
LogFormat “%v %h %l %u %t “%r” %>s %b” vhost_common

Which settings did you use on the website? What is your domain?

i use /etc/letsencrypt/options-ssl-apache.conf

SSL Server Test: (Powered by Qualys SSL Labs) - looks OK to me.

If you want to get rid of the "weak ciphers" as reported by ssllabs (you don't really need to), then you would use the "Modern" option on the SSL Config Generator website. However, this is compatible with a smaller number of browsers and devices.

but result for

there are some “Non-compliant with PCI DSS requirements”

You can get rid of that ciphersuite on your mail server as required. If you are running e.g. Postfix, you can use the tls_high_cipherlist configuration option.

This document provides some guidance for specific mail servers:

thanks a lot!..
I got A now :slight_smile:
tomorrow will continue with Dovecot … for IMAPS, POP3S
please share if you had the doc


The short answer is:
to the SSLCipherSuite.
But those 4 are also SHA1, which you might want to also disable.
If so,
to the SSLCipherSuite.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.