Repercussions of removing specific cipher?

mushu · July 24, 2018, 6:55pm

Windows Server 2016 IIS 10

Can anyone provide a source for the repercussions of removing this single non-compliant TLSv1.1 cipher please?

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA : Good configuration
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA : Good configuration
TLS_RSA_WITH_AES_256_CBC_SHA : Good configuration
TLS_RSA_WITH_AES_128_CBC_SHA : Good configuration
TLS_RSA_WITH_3DES_EDE_CBC_SHA : Non-compliant with PCI DSS requirements

I really don’t want to remove it and find out later that a whole class of browsers can no longer access our website…
TIA!

schoen · July 24, 2018, 7:00pm

@mushu, a quick way to check would be to remove it temporarily and then run the SSL Labs scan against your site, which simulates browser compatibility and will give you a report about browsers that are expected to be compatible.

(I’m sure there’s other documentation about this somewhere, though.)

mushu · July 24, 2018, 7:02pm

I thought of that (the ol’ helpdesk classic “shut down a service in order to see who cries about it”) but unfortunately this is Windows and requires a server reboot each time the ciphers are modified because, yep, they’re stored in the Registry and only read once at startup. Ugh.

rg305 · July 24, 2018, 7:04pm

I have not seen anything that specifically requires TLSv1.1
However, “TLS_RSA_WITH_3DES_EDE_CBC_SHA” is NOT specific to TLSv1.1 - it can also be used by TLSv1.0 and TLSv1.2.
So, that changes your question (in my mind) to: What are the repercussions of removing “TLS_RSA_WITH_3DES_EDE_CBC_SHA” cipher?
That would depend entirely on your client base and no one outside your organization would be able to know that for certain.
You could take steps to determine if that cipher is even being used, and if so, by which devices (IPs).
You could ensure the server enforces cipher prefence order and move 3DES down to last.
Then ensure your web logs include the cipher in use.
Then simple filter through the logs for lines with 3DES.
From there you can make an more educated decision about the possible repercussions.

schoen · July 24, 2018, 7:09pm

Well, it might still only take about 5 minutes in all and maybe you could do it at a time of low server utilization?

I found that they do have a chart of the underlying data at

https://www.ssllabs.com/ssltest/clients.html

although it’s not organized the way you would want, so it might be a little tedious to use it to answer your question.

@rg305’s experimental approach also seems helpful since it would give empirical data from your own site.

mushu · July 24, 2018, 7:24pm

Ahh. Great idea to log the cipher! I've already disabled TLSv1.0 and SSL2/3 entirely so there's that. Plus, it is literally the very last cipher in the server list so will be the last one tried. I can't remember why I kept it in, I think because we still need to support IE 8 unfortunately. So perhaps that's my answer...appreciate the discussion!

system · August 23, 2018, 7:24pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.