3

I am trying to correct weak encryption in TLS, by doing a test in SSL Labs, it throws weak encryption in the following chpher suite:

Current Configuration:

SSLCipherSuite HIGH:!MEDIUM:!LOW:!aNULL:!eNULL:!AES128:!SHA1

Cipher Suite TLS 1.2 - Weak:

  • TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) WEAK
  • TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) WEAK

OHS Version: Oracle-HTTP-Server-11g/11.1.1.9.0 (Unix) mod_ssl/11.1.1.9.0

Try to solve with:

SSLCipherSuite HIGH:!MEDIUM:!LOW:!aNULL:!eNULL:!AES128:!SHA1:!SHA256:!SHA384

SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXPORT

SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS

SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!RC4:!LOW:!MD5:!aNULL:!eNULL:!3DES:!EXP:!PSK:!SRP:!DSS 

SSLCipherSuite HIGH:!MEDIUM:!LOW:!aNULL:!eNULL:!AES128:!SHA1:!TLS_RSA_WITH_AES_256_CBC_SHA256:!TLS_RSA_WITH_AES_256_GCM_SHA384

None of these settings worked for my SSL configuration in OHS.

Someone has eliminated those two issues in weak encryption?

Ventur
  • 165
  • 1
  • 2
  • 6

2 Answers2

5

The ciphers are considered weak by SSLLabs since they use RSA key exchange which provides no forward secrecy. To disable RSA key exchange in your ciphers add !kRSA. In general, just use the Mozilla SSL Configuration Generator to give you a secure setting.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • 1
    To add to this, ciphers that support forward secrecy will contain "DHE" or "ECDHE". – Joseph Sible-Reinstate Monica Nov 06 '18 at 17:00
  • Try with : `SSLCipherSuite HIGH:ECDHE:!MEDIUM:!LOW:!aNULL:!eNULL:!AES128:!SHA1:!kRSA` //not working and delete remove the last parameter `!kRSA` and working configuration, now test with ssl Labs – Ventur Nov 06 '18 at 17:30
  • current configuration: `SSLCipherSuite HIGH:ECDHE:!MEDIUM:!LOW:!aNULL:!eNULL:!AES128:!SHA1` add `ECDHE` parameter – Ventur Nov 06 '18 at 17:31
  • 1
    @Ventur: what do you exactly mean with *"not working"*? Failure to start, SSLLabs shows only errors, unable to connect with browser, unable to connect with a specific client or what? Also, adding ECDHE (your next try) does not remove the ciphers with RSA key exchange. – Steffen Ullrich Nov 06 '18 at 17:42
  • @SteffenUllrich with not working is unable to conect with browser, not displayed web page if add `!kRSA`. – Ventur Nov 06 '18 at 17:50
  • @Ventur: What kind of browser did you try? What does SSLLabs say if you add `!kRSA`? – Steffen Ullrich Nov 06 '18 at 18:03
  • @SteffenUllrich try in IE 11 and google chrome Versión 67.0.3396.87 (Build oficial) (32 bits) and page can’t be displayed with `!kRSA`. I will just run the test in ssl labs – Ventur Nov 06 '18 at 18:12
2

If those ciphers are not working while RSA is then you may have a wrong certificate. If the key usage of the certificate only allows encryption (needed for RSA based key establishment in the TLS_RSA_ ciphers) then it won't work for RSA based authentication, which requires the signature generation key usage (needed for RSA based authentication in the TLS_DHE_ and TLS_ECDHE ciphers).

You may have to re-apply for a certificate, preferably using a new key pair - you may not want to mix key usages in general, which is why the key usage is in the cert in the first place.

Maarten Bodewes
  • 4,562
  • 15
  • 29