18

I have just performed a test on my personal webiste via SSLlabs.com and I'm apparently supporting some weaker ciphers. I've managed to improve several settings (like CAA), but I'm getting stuck at the ciphers.
I've been looking around a bit, but can't really find a method to determine which can be disabled, and which should remain allowed.

Is there a method I can apply, or some check, or a list of current smart config? I'm assuming I can't just turn of all ciphers marked 'weak' if I want at least a mayority support (It's a private server for some small projects, you may assume modern hard-/software accesses it).

If it helps, this is the list:

TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)    ECDH x25519 (eq. 3072 bits RSA)   FS            256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)          ECDH x25519 (eq. 3072 bits RSA)   FS            128
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)          ECDH x25519 (eq. 3072 bits RSA)   FS            256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)              DH 2048 bits   FS                               128
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)              DH 2048 bits   FS                               256

// All below are weak
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)          ECDH x25519 (eq. 3072 bits RSA)   FS   WEAK     128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)          ECDH x25519 (eq. 3072 bits RSA)   FS   WEAK     256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)             ECDH x25519 (eq. 3072 bits RSA)   FS   WEAK     128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)             ECDH x25519 (eq. 3072 bits RSA)   FS   WEAK     256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67)              DH 2048 bits   FS   WEAK                        128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)                 DH 2048 bits   FS   WEAK                        128
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b)              DH 2048 bits   FS   WEAK                        256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)                 DH 2048 bits   FS   WEAK                        256
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)   WEAK                                                           128
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)   WEAK                                                           256
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)   WEAK                                                           128
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)   WEAK                                                           256
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)   WEAK                                                              128
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)   WEAK                                                              256
Martijn
  • 359
  • 1
  • 2
  • 9
  • Yeah, I was concidering that. But I dont require help on which files to find and to edit, I only need to know how to decide which ciphers are secure :) Which why I though this site would be better. – Martijn May 14 '19 at 11:25
  • 2
    The [Mozilla wiki](https://wiki.mozilla.org/Security/Server_Side_TLS) has recommendations with compatibility indications. – Sjoerd May 14 '19 at 11:27
  • Thanks Sjoerd, they link to a handy tool which I set to 'Modern' – Martijn May 14 '19 at 12:17
  • @Martijn I may have misinterpreted the intent of your question. I apologize for that. –  May 14 '19 at 13:17
  • 1
    I used to follow the advice of various online guides, but, they are /constantly/ out of date. Most still aren't even updated for TLSv1.3. So now, instead, I simply copy what google.com does, which I presume offers a good tradeoff between security and compatibility: https://www.ssllabs.com/ssltest/analyze.html?d=google.com&s=172.217.0.46&latest – niemiro May 14 '19 at 21:02
  • [Direct link to Mozilla's SSL Config tool](https://mozilla.github.io/server-side-tls/ssl-config-generator/) – Theron Luhn May 14 '19 at 22:20

1 Answers1

18

The required cipher suites depends entirely on the clients that are expected to use the service. As SSL Server Test from Qualys SSL Labs is designed for testing publicly accessible web servers, we can assume this is a web application. All current versions of major browsers are able to handle TLS 1.2+ with the recommended cipher suites from RFC 7525, 4.2, making it a good starting point for a highly secure configuration:

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) 
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)

Then, from the SSL Labs report, the Handshake Simulation section is handy tool for detecting the common clients you can't serve with these cipher suites alone:

Handshake Simulation

If you e.g. wish to server older Apple devices with Safari, the best cipher suite available for them is:

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)  ECDH secp256r1 (eq. 3072 bits RSA)   FS  WEAK

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 added

From the list that leaves... who is using a Windows 8.1 Phone anyway. ;)

Likewise, if you need additional browsers or devices supported, you could use the browser test for figuring out a suitable cipher suite. Also notice that the variants using (Cipher Block Chaining) CBC mode aren't weak in themselves, but SSL Labs considers them weak because of the many vulnerable implementations.

Community
  • 1
Esa Jokinen
  • 16,100
  • 5
  • 50
  • 55
  • So you've checked the current good support TLS version, and in the specs checked the mathing ciphers. And than added the older Apple one? If I enabled that, doesnt that mean my whole security is as strong as that weak cipher? – Martijn May 14 '19 at 12:14
  • Correct, by enabling the CBC cipher suite you weaken the security. Enable it only if you need to support clients that don't support an AEAD like AESGCM and ChaCha20Poly1305. – Z.T. May 14 '19 at 12:36
  • 2
    It's worth noting that if you're configuring Windows/IIS servers, you also need to consider which services your server is a _client_ to. Like, is it accesssing an old SQL Server instance? I once got burned when my web app died after I disabled 3DES, which was still needed to access a DBMS that hadn't yet been upgraded. – Roy Tinker May 14 '19 at 17:49