CBC ciphers marked as weak by SSL labs
When doing a SSLlabs test the test results show that there are two weak ciphers present on the service even though "BestPractices" Cipher suite has been enabled on a virtual service.
SSLlabs reports that there are two weak ciphers even though the overall rating is an "A" rating.
|Steps to Reproduce:|
|Cause:||All CBC ciphers are marked as weak by SSLlabs|
The security landscape is ever changing and ciphers and protocols are updated on a regular basis depending on the vulnerabilities or research done. The two ciphers noted are named the following in the LoadMaster (LM):
Both ciphers are TLS1.2 ciphers and are still regarded as strong ciphers by OpenSSL.
Qualsys have a specific criteria when it come to cipher, in particular the CBC cipher suite and have the following statement in relation to the issue:
"Due to the difficulties in implementing CBC cipher suites, and the numerous known exploits against bugs in specific implementations, Qualys SSL Labs began marking all CBC cipher suites as WEAK in May 2019. While there are CBC implementations without known exploits, which are safe to use, there are better options that Qualys would like to encourage admins to adopt."
These CBC ciphers are not known to be compromised but Qualsys still wants administrators to stop using all CBC ciphers regardless of their strength.
OpenSSL best practices still lists the two ciphers as "strong" and therefore are still part of the LoadMastres "BestPractices" Cipher suite.
To remove the ciphers create a custom cipher set using the "BestPractices" as a starting point.
Go to: Certificates & Securtiy --> Cipher Sets --> Cipher Set (BestPractices)
Remove the two ciphers listed earlier from the "BestPractices" cipher suit and save it as a new name such as "BestPractices2" and then apply the new cipher set to the affected virtual services under the SSL Properties.
Re-run the SSLlabs server test and verify that the weak ciphers have been removed as outlined in the above screenshot.
Related SSLlabs link:
SSLlabs Server Test: