Disable all weak block ciphers with key les than 128-bit, including export ciphers

alfredo.aguilar1 · April 26, 2021, 3:22pm

I need the procedure to be able to disable the following since the guide is very confusing someone who has done it

Disable all weak block ciphers with key les than 128-bit, including export ciphers.
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xc013)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xc027)
TLS_RSA_WITH_AES_128_GCM_SHA256(0x9c)
TLS_RSA_WITH_AES_128_CBC_SHA(0x2f)
TLS_RSA_WITH_AES_128_CBC_SHA256(0x3c)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xc014)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384(0xc028)
TLS_RSA_WITH_AES_128_GCM_SHA384(0x9d)
TLS__RSA_WITH_AES_128_CBC_SHA(0x35)
TLS__RSA_WITH_AES_128_CBC_SHA256(0x3d)

michael · April 26, 2021, 5:20pm

The ciphers API sets the ciphers you want to use, not the ciphers you don’t want to use. I use the following:

curl -s -X PATCH "https://api.cloudflare.com/client/v4/zones/${zoneid}/settings/ciphers" -H "X-Auth-Email: $auth_email" -H "X-Auth-Key: $auth_key" -H "Content-Type: application/json" --data '{"value":[""ECDHE-ECDSA-AES256-GCM-SHA384","ECDHE-ECDSA-CHACHA20-POLY1305","ECDHE-ECDSA-AES128-GCM-SHA256","ECDHE-RSA-AES256-GCM-SHA384","ECDHE-RSA-CHACHA20-POLY1305","ECDHE-RSA-AES128-GCM-SHA256"]}'

erictung · April 27, 2021, 1:45am

Do take note that this is only possible with the use of Advanced Certificate Manager (ACM).

system · April 30, 2021, 1:45am

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.