user3123690 February 2016

Relationship between ciphers and SSL enabled protocols

I was told to remove SSL_RSA_WITH_3DES_EDE_CBC_SHA from ciphers list since it is weak. When I looked at sslEnabledProtocols, I didn't see SSLv3. Following is what I have.

ciphers=TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA
sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2

Question 1: Since SSLv3 is no longer listed on the sslEnabledProtocols, Should I assume that SSL_RSA_WITH_3DES_EDE_CBC_SHA is disabled automatically without removing it physically from ciphers? All ciphers starting with SSL_ are related to SSLv3?

Questions 2: Why both SSL_RSA_WITH_3DES_EDE_CBC_SHA and TLS_RSA_WITH_3DES_EDE_CBC_SHA have same OpenSSL name of DES-CBC3-SHA?

Answers


BazzaDP February 2016

No. Confusingly this cipher suite is also available in TLS - sometimes called TLS_RSA_WITH_3DES_EDE_CBC_SHA but often not.

https://mta.openssl.org/pipermail/openssl-users/2015-April/001055.html

Note that if you remove that you will remove access from some older users (including IE8/XP). Always best to run scan through https://www.slllabs.com/ssltest/ to see which clients should be able to connect or not - and similarly this scan looks at SSL and TLS support and not just SSL despite its name :-) I imagine it will show a number of older clients using that cipher suite. So you can only disable if you're prepared to cut them off so you'll need to decide how much traffic that represents and if you want to do that or push back on this plan.

Post Status

Asked in February 2016
Viewed 2,707 times
Voted 8
Answered 1 times

Search




Leave an answer