Open mattwwarren opened 6 years ago
Pretty sure this repository is just for Cloudflare to open-source their config and patches, and that they don't take contributions (except for a few updated patches).
Not necessarily expecting the change to happen but considering that they position themselves as a global leader in internet security, I was curious to hear their opinion on deprecating the ciphers.
What do you think about this method?
Weak ciphers apply only to TLSv1.
Ex) https://www.ssllabs.com/ssltest/analyze.html?d=hakase.io
I'm also seeing weak ciphers on TLS 1.2:
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH x25519 (eq. 3072 bits RSA) FS WEAK | 128 |
---|---|
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH x25519 (eq. 3072 bits RSA) FS WEAK | 128 |
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) WEAK | 128 |
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) WEAK | 128 |
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) WEAK | 128 |
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH x25519 (eq. 3072 bits RSA) FS WEAK | 256 |
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH x25519 (eq. 3072 bits RSA) FS WEAK | 256 |
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) WEAK | 256 |
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) WEAK | 256 |
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) WEAK
Any plan to handle it?
Any news about this?
Hi! while we do sometimes remove ciphers completely, we try to have defaults that are as backward compatible as possible (i.e. towards devices where the weak ciphers are the best they have). This config is the default for us though, we currently allow customers to change the minimum TLS version or restrict the ciphers offered on their zone to a subset of the ones that we support: https://developers.cloudflare.com/ssl/ssl-tls/cipher-suites/#disable-cipher-suites. Some take advantage of this for policy reasons, others to boost their SSL Labs score.
The follower ciphers have been marked as Weak by ssllabs and while it does not result in a lower grade, I wanted to get Cloudflare's opinion on deprecating support for these ciphers:
I believe this would require removing the following from
ssl_ciphers
: RSA+AES128 and RSA+AES256Thanks in advance!