Problem with Amazon-Alexa interface – narrow suite of ciphers

My domain is: MIA4ever.de

My web server is (include version):
httpd (Apache2)

The operating system my web server runs on is (include version):
CentOS 7.9.2009

My hosting provider, if applicable, is:
1blu.de

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.9.0

I use the server MIA4ever.de as an endpoint for Alexa-Skills since one year. Since a few weeks all skills on these server will no longer work.

The amazon-support identify the reason of the problem as a narrow suite of ciphers.

I checked this and can reproduce this problem. A SSL check shows only four points in the enum:

Activated protocols:
TLS 1.2

available Cipher Suites:
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009E)
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009F)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xC02F)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xC030)

Another similar server (Ubuntu, but similar configuration with LetsEncrypt, Apache2 and PHP) works still without a problem, also with Alexa. This server (MIA-System.de) shows much more suites of ciphers:

Activated protocols:
TLS 1.2

available Cipher Suites:
TLS_RSA_WITH_AES_128_CBC_SHA (0x002F)
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003C)
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003D)
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006B)
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009C)
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009D)
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009E)
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009F)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xC013)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xC014)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xC027)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xC028)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xC02F)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xC030)

What could be the reason for this? How I said it works for several month up to a few weeks ago.

Has anybody an idea what I can do? And why the behaviour changed with one oft he last updates oft he certificates?

1 Like

The certificate has almost no relationship to available cipher suites*, but your ACME client (certbot) may have updated your SSL/TLS configuration.

The cipher suites shown for the first server are pretty good ones, though they require a client with AEAD support. This excludes most TLS implementations older than ~6 years. If Alexa really doesn't support this, yeah than that's the issue.

The "best" solution would be to ensure that the client can talk AES-GCM, e.g by applying available software updates client side. If that's not an option, the server must be configured to allow older - and potentially insecure - cipher suites (TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 usually does the trick, unless the client also has no ECC support, in which case you might want to add TLS_DHE_RSA_WITH_AES_128_CBC_SHA256).

*One exception to this: The certificate type (ECDSA vs RSA) determines what signature algorithm is used.

1 Like

Can they say specifically what cipher suites they support?

1 Like

Unfortunately this was not part of the answer but I will try to find it out.

1 Like

I enabled all cipher suites with

SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:!MEDIUM:!LOW:!SSLv2:!EXPORT

in the virtual-host-configuration and now it works again!
Thank you for helping

2 Likes

Also consider getting recommendations from

https://ssl-config.mozilla.org/

β€”for increased compatibility first try "Intermediate", then, if necessary, "Old". It may still be a bit better than enabling everything! :slight_smile:

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.