NimbostratusDiable TLS1.2 weak ciphers
I have a website with an SSL client profile forcing TLS 1.2. We had a security audit performed and I was notified that we have some weak TLS1.2 ciphers enabled in particular the following came up on the scan: -TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
-looks like this is DH group 5 1024 as why it is considered weak -TLS_DHE_RSA_WITH_AES_256_CBC_SHA -looks like this is DH group 5 1024 as why it is considered weak -TLS_DH_anon_WITH_AES_256_GCM_SHA384 -Looks like anon DH exchange is insecure here -TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA -This is probably due to 3des -TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA -looks like this is DH group 5 1024 as why it is considered weak -TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 -looks like this is DH group 5 1024 as why it is considered weak -TLS_DHE_RSA_WITH_AES_128_CBC_SHA -looks like this is DH group 5 1024 as why it is considered weak -TLS_DH_anon_WITH_AES_128_GCM_SHA256 -Looks like anon DH exchange is insecure here -TLS_DHE_RSA_WITH_RC4_128_SHA -looks like this is RC4 as why it is considered weak -TLS_DHE_RSA_WITH_RC4_128_MD5 -looks like this is RC4 as why it is considered weak -TLS_DHE_RSA_WITH_DES_CBC_SHA -looks like this is DES as why it is considered weak
First I believe it is safe to disable RC4, 3DES, and DES completely, Can I do this by putting the following in the SSL client profile?: TLSv1_2:!DES:!RC4!3DES -Can anyone confirm that most browsers are ok without these?
Second I believe I need to disable anon DH. How to I do this? Can I add a !DH? This will still allow DHE correct? And are most browsers ok?
Then group 5 1024 can anyone tell me how to disable this?
Also is this the correct way to disable those with a TLSv1_2:!...:!.... or is there a better way? SSL is not my strongest suit.
Thanks.
- '"
