Strong Cipher vs Weak Cipher

RimmiRimmi Member Posts: 22 ■□□□□□□□□□
Hi,

1) Since CBC is a weak cipher, does these means all the item from 2 to 12 should be removed? If no, please help to advise.
Also, what does (0x3d) and (0x84) in item 4 and 5 respectively means?



1) TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH secp256r1 (eq. 3072 bits RSA) FS

2) 256TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc02) ECDH secp256r1 (eq. 3072 bits RSA) FS

3) 256TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH secp256r1 (eq. 3072 bits RSA) FS

4) 256TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)256TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)

5) 256TLS_RSA_WITH_AES_256_CBC_SHA (0x35)256TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84)

6) 256TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH secp256r1 (eq. 3072 bits RSA) FS 128 bit

7) TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH secp256r1 (eq. 3072 bits RSA) FS 128 bit
8. TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH secp256r1 (eq. 3072 bits RSA) FS 128 bit

9)TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)128TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)128 bit

10) TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)128TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x41)128 bit

11) TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012) ECDH secp256r1 (eq. 3072 bits RSA) FS 128 bit

12) TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)112 bit

Comments

  • NavyMooseCCNANavyMooseCCNA Member Posts: 544 ■■■■□□□□□□
    Rimmi wrote: »
    Hi,

    1) Since CBC is a weak cipher, does these means all the item from 2 to 12 should be removed? If no, please help to advise.
    Also, what does (0x3d) and (0x84) in item 4 and 5 respectively means?



    1) TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH secp256r1 (eq. 3072 bits RSA) FS

    2) 256TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc02icon_cool.gifECDH secp256r1 (eq. 3072 bits RSA) FS

    3) 256TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH secp256r1 (eq. 3072 bits RSA) FS

    4) 256TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)256TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)

    5) 256TLS_RSA_WITH_AES_256_CBC_SHA (0x35)256TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84)

    6) 256TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH secp256r1 (eq. 3072 bits RSA) FS 128 bit

    7) TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH secp256r1 (eq. 3072 bits RSA) FS 128 bit

    icon_cool.gifTLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH secp256r1 (eq. 3072 bits RSA) FS 128 bit

    9)TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)128TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)128 bit

    10) TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)128TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x41)128 bit

    11) TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012) ECDH secp256r1 (eq. 3072 bits RSA) FS 128 bit

    12) TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)112 bit
    Can you please edit and remove the emojis?

    'My dear you are ugly, but tomorrow I shall be sober and you will still be ugly' Winston Churchil

  • beadsbeads Member Posts: 1,531 ■■■■■■■■■□
    61 and 132 in from hex but I have little idea where your list is from or the format. Calling something a 'weak cipher' simply means that the code is now easily broken by a machine. Keep this in mind, the original DES did very well lasting 15 years before being broken. Some ciphers have lasted as little as a few months.

    I have a list somewhere on a home machine that makes for interesting reading but the trend should be going back up now that we are in an age of 512, 1024 and 2048 if not 4096 length chains.

    - b/eads
  • RimmiRimmi Member Posts: 22 ■□□□□□□□□□
    The list I scan a website and got from SSL Lab.
  • Mike7Mike7 Member Posts: 1,107 ■■■■□□□□□□
    If you disable CBC ciphers, you are only left with AES-GCM on TLS 1.2.
    Do you have any web clients such as IE/Win7 or Android 4.x that does not support TLS 1.2 and/or AES-GCM?

    There is a pretty good SSL configuration guide on SSLLabs. You can post your question to their forum at https://community.qualys.com
Sign In or Register to comment.