Universal SSL w/ Weak Ciphers

tech166 · August 10, 2024, 2:54am

What is the name of the domain?

www.airpassengerhelpguide.ca

What is the error number?

dash-ssl-tls

What is the issue you’re encountering

Security Scanners are reporting that the SSL Certificates support “Weak Ciphers”. This particular domain along with one other domain seem to have 2 certs generated: SHA256 RSA & ECDSA SHA256. We have 3 other domains that were migrated to Cloudflare much later only has ECDSA SHA256. The latter 3 domains do not have the Weak Ciphers. Googling and browsing through the forums indicate that Ciphers can be customized using API but would require ACM to be purchased. Other 3 domains do not have ACM so I don’t see why I would need to purchase ACM to be able to disable weak ciphers. Is there any way to re-generate the Universal SSL so that only ECDSA SHA256 certificate is issued?

What steps have you taken to resolve the issue?

Disabling, waiting for 15 minutes and re-enabling Universal SSL, hoping that newly generated certs would only have ECDSA SHA256 instead of SHA256 RSA & ECDSA SHA256. We have also tried to adjust minimum TLS version from 1.2 to 1.1 and then back to 1.2.

Was the site working with SSL prior to adding it to Cloudflare?

Yes

What is the current SSL/TLS setting?

Full (strict)

sdayman · August 10, 2024, 3:39am

Do you see any correlation with the certificate authority? (Google vs Let’s Encrypt)

system · August 25, 2024, 3:40am

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Weak cipher suites Security dash-ssl-tls	8	13655	March 23, 2019
[Question](08-03-2025) Weak Encryption (Weak Ciphers) sent by client (Screenshot) General	1	10	March 8, 2025
Weak SSL Cipher issue Access dash-ssl-tls	1	3471	May 19, 2019
How can we disable weak ciphers Security	7	15262	September 30, 2021
SSL error with new domain, cipher mismatch Security dns , dash-ssl-tls , dash-errors , dash-troubleshooting	8	2890	September 27, 2018