How to remove some ciphers


#1

Hello

how to remove the following ciphers:

TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA


#2

You configure your web server with the relevant configuration parameters.

https://mozilla.github.io/server-side-tls/ssl-config-generator/ may help you.

It’s not a characteristic of your certificates, but an independent web server setting.


#3

But sometimes certbot installs extra SSL configuration parameters :wink:


#4

I have followed it … but https://www.ssllabs.com/ssltest/ found some weak ciphers…

please help


#5

SSLProtocol all -SSLv2 -SSLv3 -TLSv1
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS

SSLHonorCipherOrder on
SSLOptions +StrictRequire

Add vhost name to log entries:

LogFormat “%h %l %u %t “%r” %>s %b “%{Referer}i” “%{User-agent}i”” vhost_combined
LogFormat “%v %h %l %u %t “%r” %>s %b” vhost_common


#6

Which settings did you use on the website? What is your domain?


#7

i use /etc/letsencrypt/options-ssl-apache.conf

mail.mtwi.co.id


#8

https://www.ssllabs.com/ssltest/analyze.html?d=mail.mtwi.co.id - looks OK to me.

If you want to get rid of the “weak ciphers” as reported by ssllabs (you don’t really need to), then you would use the “Modern” option on the SSL Config Generator website. However, this is compatible with a smaller number of browsers and devices.


#9

but https://www.htbridge.com/ssl/?id=aCXkUPHG result for mail.mtwi.co.id:587

there are some “Non-compliant with PCI DSS requirements”


#10

You can get rid of that ciphersuite on your mail server as required. If you are running e.g. Postfix, you can use the tls_high_cipherlist configuration option.

This document provides some guidance for specific mail servers: https://bettercrypto.org/static/applied-crypto-hardening.pdf


#11

thanks a lot!..
I got A now :slight_smile:
tomorrow will continue with Dovecot … for IMAPS, POP3S
please share if you had the doc

cheers!


#12

The short answer is:
add
:!camellia
to the SSLCipherSuite.
But those 4 are also SHA1, which you might want to also disable.
If so,
add
:!SHA1
to the SSLCipherSuite.


#13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.