How to remove some ciphers

Hello

how to remove the following ciphers:

TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA

You configure your web server with the relevant configuration parameters.

https://mozilla.github.io/server-side-tls/ssl-config-generator/ may help you.

It’s not a characteristic of your certificates, but an independent web server setting.

But sometimes certbot installs extra SSL configuration parameters :wink:

I have followed it … but https://www.ssllabs.com/ssltest/ found some weak ciphers…

please help

SSLProtocol all -SSLv2 -SSLv3 -TLSv1
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS

SSLHonorCipherOrder on
SSLOptions +StrictRequire

Add vhost name to log entries:

LogFormat “%h %l %u %t “%r” %>s %b “%{Referer}i” “%{User-agent}i”” vhost_combined
LogFormat “%v %h %l %u %t “%r” %>s %b” vhost_common

Which settings did you use on the website? What is your domain?

i use /etc/letsencrypt/options-ssl-apache.conf

mail.mtwi.co.id

SSL Server Test: mail.mtwi.co.id (Powered by Qualys SSL Labs) - looks OK to me.

If you want to get rid of the "weak ciphers" as reported by ssllabs (you don't really need to), then you would use the "Modern" option on the SSL Config Generator website. However, this is compatible with a smaller number of browsers and devices.

but https://www.htbridge.com/ssl/?id=aCXkUPHG result for mail.mtwi.co.id:587

there are some “Non-compliant with PCI DSS requirements”

You can get rid of that ciphersuite on your mail server as required. If you are running e.g. Postfix, you can use the tls_high_cipherlist configuration option.

This document provides some guidance for specific mail servers: https://bettercrypto.org/static/applied-crypto-hardening.pdf

thanks a lot!..
I got A now :slight_smile:
tomorrow will continue with Dovecot … for IMAPS, POP3S
please share if you had the doc

cheers!

The short answer is:
add
:!camellia
to the SSLCipherSuite.
But those 4 are also SHA1, which you might want to also disable.
If so,
add
:!SHA1
to the SSLCipherSuite.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.