Weak cipher suites

dash-crypto
#1

Hi all
I am a pro customer and having weak cipher suite problem

TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) WEAK 128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) WEAK 128
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) WEAK 128
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) WEAK 256
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) WEAK 256
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) WEAK 256

cloudflare support is telling
“I’m afraid we can only disable ciphers for Enterprise customers only.”

who else is having this problem? Is cloud flare not to the standers?
any recommendations than using a Enterprise plan?

Thanks

#2

I am not sure that there’s an actual standard that mandates what is “weak”. If there isn’t one, there’s nothing for Cloudflare to follow. It’s an ever-changing thing.

However, I do know that TLS 1.3, as part of the standard, only allows a shortlist of strong ciphers. So if you limit yourself to TLS 1.3, you’ll probably have less or no “weak” ciphers. However that also means that some of your users will not be able to use your site. You see, many people out there still use software that doesn’t have all the shiny things, and may require "weak"er ciphers. I am guessing that this is the reason why Cloudflare doesn’t go into deep length to disable them.

Also, you seem to be using RSA. If you go EC only (as the Universal SSL gives you), you’ll probably also reduce the number of “weak” ciphers, as EC is more modern…

#3

Thanks for the reply shaimi
I forget to mention my server do not have this RSA ciphers. and i am not using Universal SSL. I am using a dedicated SSL and sill can not get rid of the weak ciphers.
TLS 1.3 only will not be ok as you mention.
So I have 2 options.

1.) pay US$200 per month and get a business plane. and hope for no other limitations!
2.) dich cloud flare and go with another provider.

Any idea to fix this cloudflare team? is there any workaround?

#4

While the latest NIST draft for TLS implementations says these cipher suites are not necessarily ideal, they are secure and OK.

See the PDF : https://csrc.nist.gov/CSRC/media/Publications/sp/800-52/rev-2/draft/documents/sp800-52r2-draft2.pdf and line 1705 (page 60/71 of pdf)

#5

You can implement a Cloudflare Worker, with the code below and change the ciphers to your requirements.

addEventListener('fetch', event => {
    event.respondWith(handleRequest(event.request))
})

async function handleRequest(request) {
    let tlsCipher = (request.cf || {}).tlsCipher
    const blockCiphers = ['ECDHE-ECDSA-AES128-GCM-SHA256', 'AEAD-AES256-GCM-SHA384', 'AEAD-AES128-GCM-SHA256']
    if (blockCiphers.includes(tlsCipher)) {
        return new Response("Please use a more secure Browser", {
            status: 403,
            statusText: "Forbidden"
        })
    }
    const response = await fetch(request)
    return response
}
#6

Hi adaptive
I tried with your solution but no luck. still showing the weak cipher suites.

const blockCiphers = [‘RSA_WITH_AES_128_GCM_SHA256’,‘RSA_WITH_AES_128_CBC_SHA’,‘RSA_WITH_AES_128_CBC_SHA256’, ‘TLS_RSA_WITH_AES_256_GCM_SHA384’,‘RSA_WITH_AES_256_CBC_SHA’,‘RSA_WITH_AES_256_CBC_SHA256’]

thanks

#7

With that script the test will still show the cipher suites, but the browser will show a 403 and won’t be able to actually access your website.

Is this about the cipher suites being insecure, or you trying to raise your speed/security score?

#8

I was not talking about your server, I was talking about Cloudflare RSA. I know you’re using Dedicated SSL. That was my point. The Dedicated SSL is what enables RSA. Regular (free) Universal SSL does not do RSA. It is a limitation for most people and one of the main reasons people buy Dedicated SSL. For you it is actually a downside as it enables ciphers that you consider are “weak”. So you could ditch the dedicated SSL (or just disable the RSA cert in it, if that is possible. I don’t know, as I’m still using Universal…)

closed #9

This topic was automatically closed after 30 days. New replies are no longer allowed.