Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

CBC ciphers marked as weak by SSL labs

 

Information

 

Summary:

When doing a SSLlabs test the test results show that there are two weak ciphers present on the service even though "BestPractices" Cipher suite has been enabled on a virtual service.

Environment:

Product: LoadMaster

Version:7.2.57

Platform: 

Application:

Question/Problem Description:

SSLlabs reports that there are two weak ciphers even though the overall rating is an "A" rating.

Steps to Reproduce:  
Error Message:  
Defect Number:  
Enhancement Number:  
Cause: All CBC ciphers are marked as weak by SSLlabs
Resolution:

 

The security landscape is ever changing and ciphers and protocols are updated on a regular basis depending on the vulnerabilities or research done. The two ciphers noted are named the following in the LoadMaster (LM):

  • ECDHE-RSA-AES256-SHA384 => TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • ECDHE-RSA-AES128-SHA256 => TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

Both ciphers are TLS1.2 ciphers and are still regarded as strong ciphers by OpenSSL.

 

 

weak_ciphers.png

Qualsys have a specific criteria when it come to cipher, in particular the CBC cipher suite and have the following statement in relation to the issue:

 

"Due to the difficulties in implementing CBC cipher suites, and the numerous known exploits against bugs in specific implementations, Qualys SSL Labs began marking all CBC cipher suites as WEAK in May 2019. While there are CBC implementations without known exploits, which are safe to use, there are better options that Qualys would like to encourage admins to adopt."

 

These CBC ciphers are not known to be compromised but Qualsys still wants administrators to stop using all CBC ciphers regardless of their strength.

 

OpenSSL best practices still lists the two ciphers as "strong" and therefore are still part of the LoadMastres "BestPractices" Cipher suite.

https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices

 

To remove the ciphers create a custom cipher set using the "BestPractices" as a starting point.

Go to: Certificates & Securtiy --> Cipher Sets --> Cipher Set (BestPractices)

 

Remove the two ciphers listed earlier from the "BestPractices" cipher suit and save it as a new name such as "BestPractices2" and then apply the new cipher set to the affected virtual services under the SSL Properties.

https://support.kemptechnologies.com/hc/en-us/articles/360052659112-SSL-Accelerated-Services#MadCap_TOC_17_3

 

weak_ciphers_removed_.png

Re-run the SSLlabs server test and verify that the weak ciphers have been removed as outlined in the above screenshot.

Workaround:  
Notes:

Related SSLlabs link:

https://support.kemptechnologies.com/hc/en-us/articles/9324532996365

SSLlabs Server Test:

https://www.ssllabs.com/ssltest/


Comments