Is there any update to the article on disabling weak ciphers? The article is from 2013. I am trying to disable weak ciphers for our upcoming SOC audit. I have disabled TLS 1.0 and 1,1, enable FIPS mode and set the cipher list to default. But a test still shows several weak ciphers enabled.
Is there another article I am missing which shows the syntax for actually specifying the ciphers which will be enabled, and what ciphers are supported?
Disabling Weak Ciphers - Windows version
-
- Site Admin
- Posts: 2082
- Joined: Tue Sep 29, 2009 6:09 am
Re: Disabling Weak Ciphers - Windows version
The recommended OpenSSL ciphers is:
I think those ciphers have no problem for HTTPS/FTPS, do you mean the ciphers for SFTP(SSH) protocol? If so, you may use the following ciphers/algorithms:
SFTP Key Exchange Algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
SFTP Encryption Algorithms: aes256-ctr,aes192-ctr,aes128-ctr,chacha20-poly1305@openssh.com
SFTP MAC Algorithms: hmac-sha2-256,hmac-sha2-512,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com
Code: Select all
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305
SFTP Key Exchange Algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
SFTP Encryption Algorithms: aes256-ctr,aes192-ctr,aes128-ctr,chacha20-poly1305@openssh.com
SFTP MAC Algorithms: hmac-sha2-256,hmac-sha2-512,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com
-
- Posts: 2
- Joined: Tue Nov 09, 2021 4:47 pm
Re: Disabling Weak Ciphers - Windows version
My apologies for not being more specific. Yes, I was referring to the OpenSSL ciphers. I applied your suggested list and that seems to have done the trick as far as the test results. Thank you very much!
Is there someplace that I missed where the exact syntax of those selections is documented? I tried to cobble something like that together on my own from the cipher list shown in an IISCrypto scan and the SSL Labs server test site, but things didn't match up.
Is there someplace that I missed where the exact syntax of those selections is documented? I tried to cobble something like that together on my own from the cipher list shown in an IISCrypto scan and the SSL Labs server test site, but things didn't match up.
-
- Site Admin
- Posts: 2082
- Joined: Tue Sep 29, 2009 6:09 am
Re: Disabling Weak Ciphers - Windows version
You may take a look at this cipher suite table, just check the green (Modern) ciphers for OpenSSL:
https://wiki.mozilla.org/Security/Ciphe ... patibility" rel="nofollow
https://wiki.mozilla.org/Security/Ciphe ... patibility" rel="nofollow