LEts Encrypt certificates and cipher suites


#1

A month ago I obtained 2 certificates from Lets Encrypt. One is installed on a Windows server and the other one on a Linux server. Both servers work OK with https, i.e. the browsers recognize the certificates without errors.

We also have an interface from the previously mentioned servers to a payment gateway (=external company) and the communication with that gateway does not work properly. The support people from the gateway tell me that our server must support at least 1 (of a list of 6) of their cipher suites, for instance “SSL_RSA_WITH_AES_256_CBC_SHA” or “SSL_RSA_WITH_3DES_EDE_CBC_SHA”. All their cipher suites start with “SSL_…”.

When I use a tool to check our certificates ( [https://cryptoreport.websecurity.symantec.com/checker/views/certCheck.jsp ) I see that all cipher suites enabled on our server start with “TLS_” for instance “TLS-RSA-WITH-3DES-EDE_CBC-SHA (0x000A)”.
I also noticed that the Linux server has more suites enabled then the windows server.

So my questions and doubts are:

  1. Can or does LetsEncrypt certificates support cipher suites with “SSL_…”. The process of generating them does not ask anything about cipher suites to be supported.
  2. Do ciphering suites depend on other software installed on the operating system, like extra crypto modules, or…?

Thanks for any help.
/Antoine


#2

Cipher suits are set in your web server configuration. Certificates pretty much work with any cipher suite, independent of how they were issued or who they’re from.

The details depend on your web server. Apache has a SSLCipherSuite directive for this purpose. Nginx has ssl_ciphers. IIS has some registry settings for this purpose. I’ve also seen this tool mentioned a couple of times related to IIS cipher suite configuration. You might also want to check out the Mozilla SSL Configuration Generator as a good starting point for your cipher suits.


#3

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.