Remove cipher TLS_RSA_WITH_3DES_EDE_CBC_SHA

I propose to remove the weak cipher TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) on all TLS levels, as this is the only one really rated WEAK on all SSL test instances. Removing it will not harm anyone but makes MIAB more secure with a single small step.

1 Like

Recommended to read the current ‘In development’ (Master) Changelog about Web & Mail cipher list accordingly to Mozilla’s current intermediate recommendation and if that list match your request.

These url can be useful also:

Strong cipher list configuration

Online check web tls security

SMTP check tls security

Nextcloud

Online check ssh cypher security

For example, in my apache server I use it a few more as cypherli.st

#SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1    # The most secure but restrictive (cypherli.st)
SSLProtocol All -SSLv2 -SSLv3 -TLSv1
SSLHonorCipherOrder On
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
# Requires Apache >= 2.4.11
SSLSessionTickets Off        # https://blog.filippo.io/we-need-to-talk-about-session-tickets/

#SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH    # The most secure but restrictive (cypherli.st)
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA384:DHE-RSA-AES128-SHA256:AES128-GCM-SHA384:AES128-GCM-SHA256:AES128-SHA384:AES128-SHA256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
2 Likes

That`s nice, thank you.

Awesome summary in general! Thank you!

You welcome Cornelius

This topic was automatically closed after 61 days. New replies are no longer allowed.