TLS cipher order (again)

Answer these questions to help the Community help you with Security questions.

What is the domain name?
securitydelta.nl

Have you searched for an answer?
Yes, but found the same question, without an answer.

Please share your search results url:
Same question found: https://community.cloudflare.com/t/tls-cipher-order/482720

When you tested your domain, what were the results?
See https://internet.nl/site/securitydelta.nl/2568006/#control-panel-13

Under Cipher order:

Verdict:

Your web server does not prefer ‘Good’ over ‘Sufficient’ over ‘Phase out’ ciphers (‘II’).

Technical details:

Web server IP address First found affected cipher pair
104.26.11.224 ECDHE-ECDSA-AES128-SHA
ECDHE-ECDSA-AES256-GCM-SHA384
2606:4700:20::ac43:4657 ECDHE-ECDSA-AES128-SHA
ECDHE-ECDSA-AES256-GCM-SHA384

Describe the issue you are having:
I want to fix this message “Connection not or insufficiently secured (HTTPS)”

What error message or number are you receiving?
Connection not or insufficiently secured (HTTPS)

You cannot change the cipher order, but you can disable the weak ciphers if you subscribe to Advanced Certificate Manager.

FYI: You cannot disable the pre-RFC versions of ChaCha20-Poly1305, but they will be removed in the first quarter of 2024.

2 Likes

If you don’t want to subscribe to ACM, you could also set the minimum TLS version to 1.3.

That would also fix the warning, but it might cause problems for users with very old devices. It’s definitely worth a try.

1 Like

Thanks! For now I go with the solution of Laudian; set minimum TLS version to 1.3.

Thanks!

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.