Strong Cipher vs Weak Cipher
Hi,
1) Since CBC is a weak cipher, does these means all the item from 2 to 12 should be removed? If no, please help to advise.
Also, what does (0x3d) and (0x84) in item 4 and 5 respectively means?
1) TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH secp256r1 (eq. 3072 bits RSA) FS
2) 256TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc02) ECDH secp256r1 (eq. 3072 bits RSA) FS
3) 256TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH secp256r1 (eq. 3072 bits RSA) FS
4) 256TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)256TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)
5) 256TLS_RSA_WITH_AES_256_CBC_SHA (0x35)256TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84)
6) 256TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH secp256r1 (eq. 3072 bits RSA) FS 128 bit
7) TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH secp256r1 (eq. 3072 bits RSA) FS 128 bit
8. TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH secp256r1 (eq. 3072 bits RSA) FS 128 bit
9)TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)128TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)128 bit
10) TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)128TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x41)128 bit
11) TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012) ECDH secp256r1 (eq. 3072 bits RSA) FS 128 bit
12) TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)112 bit
1) Since CBC is a weak cipher, does these means all the item from 2 to 12 should be removed? If no, please help to advise.
Also, what does (0x3d) and (0x84) in item 4 and 5 respectively means?
1) TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH secp256r1 (eq. 3072 bits RSA) FS
2) 256TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc02) ECDH secp256r1 (eq. 3072 bits RSA) FS
3) 256TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH secp256r1 (eq. 3072 bits RSA) FS
4) 256TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)256TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)
5) 256TLS_RSA_WITH_AES_256_CBC_SHA (0x35)256TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84)
6) 256TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH secp256r1 (eq. 3072 bits RSA) FS 128 bit
7) TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH secp256r1 (eq. 3072 bits RSA) FS 128 bit
8. TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH secp256r1 (eq. 3072 bits RSA) FS 128 bit
9)TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)128TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)128 bit
10) TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)128TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x41)128 bit
11) TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012) ECDH secp256r1 (eq. 3072 bits RSA) FS 128 bit
12) TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)112 bit
Comments
-
NavyMooseCCNA Member Posts: 544 ■■■■□□□□□□Hi,
1) Since CBC is a weak cipher, does these means all the item from 2 to 12 should be removed? If no, please help to advise.
Also, what does (0x3d) and (0x84) in item 4 and 5 respectively means?
1) TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH secp256r1 (eq. 3072 bits RSA) FS
2) 256TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc02ECDH secp256r1 (eq. 3072 bits RSA) FS
3) 256TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH secp256r1 (eq. 3072 bits RSA) FS
4) 256TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)256TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)
5) 256TLS_RSA_WITH_AES_256_CBC_SHA (0x35)256TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84)
6) 256TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH secp256r1 (eq. 3072 bits RSA) FS 128 bit
7) TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH secp256r1 (eq. 3072 bits RSA) FS 128 bit
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH secp256r1 (eq. 3072 bits RSA) FS 128 bit
9)TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)128TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)128 bit
10) TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)128TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x41)128 bit
11) TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012) ECDH secp256r1 (eq. 3072 bits RSA) FS 128 bit
12) TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)112 bit'My dear you are ugly, but tomorrow I shall be sober and you will still be ugly' Winston Churchil
-
Стрелок Member Posts: 6 ■□□□□□□□□□
-
beads Member Posts: 1,533 ■■■■■■■■■□61 and 132 in from hex but I have little idea where your list is from or the format. Calling something a 'weak cipher' simply means that the code is now easily broken by a machine. Keep this in mind, the original DES did very well lasting 15 years before being broken. Some ciphers have lasted as little as a few months.
I have a list somewhere on a home machine that makes for interesting reading but the trend should be going back up now that we are in an age of 512, 1024 and 2048 if not 4096 length chains.
- b/eads -
Mike7 Member Posts: 1,112 ■■■■□□□□□□If you disable CBC ciphers, you are only left with AES-GCM on TLS 1.2.
Do you have any web clients such as IE/Win7 or Android 4.x that does not support TLS 1.2 and/or AES-GCM?
There is a pretty good SSL configuration guide on SSLLabs. You can post your question to their forum at https://community.qualys.com