Disable Triple DES in TLS cipher suites

There are issues with aging 64-bit ciphers like Triple DES and we should disable them eventually. I logged the TLS ciphers negotiated on one of our busier hosts, and here are some numbers after seven days:

# zgrep "DES-CBC3" /var/log/nginx/site-access-ssl.log* | wc -l
217
# zcat -f -- /var/log/nginx/site-access-ssl.log* | wc -l
1164376

So, in other words, 0.02% of TLS connections are using Triple DES, mostly from weird user agents like:

Dorado WAP-Browser/1.0.0/powerplay/2
Vodafone/1.0/LG-KU990i/V10c Browser/Obigo-Q05A/3.6 MMS/LG-MMS-V1.0/1.2 Java/ASVM/1.0 Profile/MIDP-2.0 Configuration/CLDC-1.1
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2; BIDUBrowser 2.x)
Googlebot/2.1 (+http://www.googlebot.com/bot.html)
Mozilla/5.0 (Windows NT 5.1; rv:16.0) Gecko/20100101 Firefox/16.0
Mozilla/5.0 (LG-T375 AppleWebkit/531 Browser/Phantom/V2.0 Widget/LGMW/3.0 MMS/LG-MMS-V1.0/1.2 Java/ASVM/1.1 Profile/MIDP-2.1 Configuration/CLDC-1.1)
Nokia7610/2.0 (5.0509.0) SymbianOS/7.0s Series60/2.1 Profile/MIDP-2.0 Configuration/CLDC-1.0

It's not urgent, but I'm leaving this here so we can act on it in a few months.

ilri / rmg-ansible-public

Disable Triple DES in TLS cipher suites #56