Strong Cipher vs Weak Cipher

Rimmi · November 2016

Hi,

1) Since CBC is a weak cipher, does these means all the item from 2 to 12 should be removed? If no, please help to advise.
Also, what does (0x3d) and (0x84) in item 4 and 5 respectively means?

1) TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH secp256r1 (eq. 3072 bits RSA) FS

2) 256TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc02) ECDH secp256r1 (eq. 3072 bits RSA) FS

3) 256TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH secp256r1 (eq. 3072 bits RSA) FS

4) 256TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)256TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)

5) 256TLS_RSA_WITH_AES_256_CBC_SHA (0x35)256TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84)

6) 256TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH secp256r1 (eq. 3072 bits RSA) FS 128 bit

7) TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH secp256r1 (eq. 3072 bits RSA) FS 128 bit
8. TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH secp256r1 (eq. 3072 bits RSA) FS 128 bit

9)TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)128TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)128 bit

10) TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)128TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x41)128 bit

11) TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012) ECDH secp256r1 (eq. 3072 bits RSA) FS 128 bit

12) TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)112 bit

NavyMooseCCNA · November 2016

Rimmi wrote: »

Hi,

1) Since CBC is a weak cipher, does these means all the item from 2 to 12 should be removed? If no, please help to advise.
Also, what does (0x3d) and (0x84) in item 4 and 5 respectively means?

1) TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH secp256r1 (eq. 3072 bits RSA) FS

2) 256TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc02ECDH secp256r1 (eq. 3072 bits RSA) FS

3) 256TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH secp256r1 (eq. 3072 bits RSA) FS

4) 256TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)256TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)

5) 256TLS_RSA_WITH_AES_256_CBC_SHA (0x35)256TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84)

6) 256TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH secp256r1 (eq. 3072 bits RSA) FS 128 bit

7) TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH secp256r1 (eq. 3072 bits RSA) FS 128 bit

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH secp256r1 (eq. 3072 bits RSA) FS 128 bit

9)TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)128TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)128 bit

10) TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)128TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x41)128 bit

11) TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012) ECDH secp256r1 (eq. 3072 bits RSA) FS 128 bit

12) TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)112 bit

Can you please edit and remove the emojis?

Стрелок · November 2016

Read this
1. https://www.ssllabs.com/ssltest/viewClient.html?name=IE&version=11&platform=Win%207
2. Cisco Support - Software Downloads, Product Documentation, Support Tools, and Support Cases - Cisco

beads · November 2016

61 and 132 in from hex but I have little idea where your list is from or the format. Calling something a 'weak cipher' simply means that the code is now easily broken by a machine. Keep this in mind, the original DES did very well lasting 15 years before being broken. Some ciphers have lasted as little as a few months.

I have a list somewhere on a home machine that makes for interesting reading but the trend should be going back up now that we are in an age of 512, 1024 and 2048 if not 4096 length chains.

- b/eads

Rimmi · November 2016

The list I scan a website and got from SSL Lab.

Mike7 · November 2016

If you disable CBC ciphers, you are only left with AES-GCM on TLS 1.2.
Do you have any web clients such as IE/Win7 or Android 4.x that does not support TLS 1.2 and/or AES-GCM?

There is a pretty good SSL configuration guide on SSLLabs. You can post your question to their forum at https://community.qualys.com

Strong Cipher vs Weak Cipher

Comments

'My dear you are ugly, but tomorrow I shall be sober and you will still be ugly' Winston Churchil