Questions tagged [cipher]
The cipher tag has no usage guidance.
72 questions
0
votes
0
answers
34
views
Rsyslog Client hello message showing Too many ciphers when used tls connection?
I have configured rsyslog over tls , My client hello message sending too many ciphers :
Tried using debian machines and Redhat 8 Machines both resulted in same way.
rsyslog version : 8.2404
gnutls - 3....
0
votes
0
answers
373
views
Apache 2.4 Cipher Suite Mismatch from config
We are running Apache 2.4 as reverse proxy to a Tomcat 9.0.88 web application.
We started having an issues after a fresh install where Apache was rejecting incoming ssl handshakes from other Web apps. ...
- 101
0
votes
0
answers
242
views
sslscan: How to interpret the output with respect to to curves used for key exchange?
sslscan produces the following output (truncated for the purposes of this question):
Supported Server Cipher(s):
SSL_connect() returned: 1
Accepted TLSv1.3 256 bits TLS_AES_256_GCM_SHA384 ...
- 321
-1
votes
1
answer
245
views
Are ciphers configured only at the OS level?
I need to remove support for weak servers on a site we host. This is a highly secured site where customer data is extremely sensitive and our customers and auditors require that we drop support for ...
- 169
0
votes
1
answer
1k
views
Disable TLSv1.0 and TLSv1.1 when generating certificates using openssl 1.1.1
I am struggling to implement a feature for my certificates. I am generating my certificates with OPENSSL 1.1.1.
I want to allow only TLSv1.2 and TLSv1.3. The other protocols should not be possible (...
2
votes
1
answer
770
views
DTLS Cipher Suites in Windows
We recently disabled specific cipher suites for TLS and only allow the most secure ones, this is our list:
TLS_AES_256_GCM_SHA384
TLS_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
...
0
votes
1
answer
1k
views
HaProxy - Does prefer-client-ciphers mean the client can choose a cipher not supported by a server?
Considering a setup like this:
global
# intermediate configuration
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-...
- 177
1
vote
1
answer
702
views
OpenConnect force clients to use special cipher
I use ocserv on Centos as Openconnect VPN and I use config file for setting up the server
I need to force clients to use special cipher like AES-256-GCM
because it seems that VPN blocks on some 4G net ...
- 141
1
vote
1
answer
270
views
How to **keep** my SSLCipherSuite list for my LAMP stack current?
I have been running several LAMP servers for 5+ years with Let's Encrypt certs.
Today, I did the SSL test by Qualys https://www.ssllabs.com/ssltest/index.html to learn that I had lost my coveted A+ ...
- 719
0
votes
0
answers
1k
views
Cipher Suites order enforced by IIS
We are trying to get approved from a vendor that requires cipher suites order to be processed in this way:
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
We use ...
T.J.
1
vote
1
answer
5k
views
ssh sftp which cipher is used
on a debian shell i can connect to a sftp by: ( connection established, i see the sftp prompt )
sftp -i /keys/mykey [email protected]
i want to change to
sftp -oCiphers=aes256-ctr -i /keys/mykey [email protected]....
- 125
0
votes
1
answer
7k
views
How to debug OpenSSL SSL_read: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure, errno 0
We have a nginx setup with client certificate authentication running on docker, we are only using these ssl settings:
ssl_protocols TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:...
- 195
-2
votes
1
answer
930
views
Will Disabling All Non-256-bit Cipher Suites Cause An Issue? [closed]
I want to disable some risky cipher suites (especially for TLS 1.1 and 1.0) which are 128-bit, in order to achieve a more secure server in Windows. But these cipher suites may be used by some client. ...
- 119
2
votes
1
answer
7k
views
How To Disable Weak Cipher Suites Only For TLS 1.0 and 1.1 In Windows?
I want to disable some weak cipher suites in Windows but TLS 1.2 is not so vulnerable and I don't want to cause any other problem in the server, so I just want to disable them for TLS 1.0 and 1.1.
...
- 119
0
votes
0
answers
858
views
Cannot disable cipher suite "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" in IIS / Windows Server 2022
I am using this command in Windows Server 2022, latest updates:
Disable-TlsCipherSuite -Name "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
It completes without error. I then tried restarting IIS (...
- 549
0
votes
1
answer
1k
views
Fujitsu iRMC S4 Web Server Unable to Access
I have a Fujitsu TX140 S2 server hosting a number of drives.
Recently went to log into the iRMC web server to turn the server off during the high winds in case of a power cut (UPS on order) and couldn'...
- 3
0
votes
2
answers
609
views
How to get Cipher details from .ppk file
Is it possible to get the Cipher name from .ppk file?
For e.g. name like TLS-CHACHA20-POLY1305-SHA256 or ECDHE-ECDSA-AES256-GCM-SHA384
Edit: Based on the responses in answers and comments, it seems I ...
- 103
1
vote
2
answers
6k
views
How to add additional cipher suites to a Java application server?
I'm running into a bit of a pickle with a call to a third-party API from a java application. The external API requires at least one of the following ciphers:
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
...
- 171
1
vote
1
answer
3k
views
Adding Ciphers to Server 2012 R2
I need to add the following Ciphers to my server:
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
I found the following article:
https://docs.microsoft.com/en-us/windows-...
- 659
0
votes
1
answer
2k
views
Ubuntu Key Exchange Algo
I am trying to test the connectivity to several network devices, with Ansible installed on Ubuntu 20.04.2 LTS, using ansible ad-hoc.
The problem:
SSH is not working as the device's key exchange method ...
- 15
0
votes
1
answer
7k
views
Should I configure Ciphersuites on openssl after setting MinProtocol and CipherString?
Current OpenSSL version
OpenSSL 1.1.1d 10 Sep 2019 (Library: OpenSSL 1.1.1g 21 Apr 2020)
Current openssl.cnf configuration
At the top of the file
openssl_conf = default_conf
At the bottom of the ...
- 227
1
vote
0
answers
373
views
Are there any Operating Systems or Browsers that still depend on having these Ciphers enabled?
Doing a litle Cryptography Research and hit a case of conflicting data so wanted to try here.
I'm running a Web Service and currently support these 2 Ciphers:
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0X9F)...
- 11
0
votes
0
answers
918
views
Apache SSLCipherSuite directive in letsencrypt ignored
I have a web application using Apache 2.4 that runs an external API. Recently a client had trouble connecting to our system due to an SSL handshake failure. They went on ssllabs and found that our ...
- 221
1
vote
2
answers
6k
views
TLS 1.2 with RSA vs ECDSA Ciphers
Microsoft has reported that it will only support TLS 1.2 with at least one of the following ciphers:
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
...
2
votes
1
answer
14k
views
How to disable TLS_AES_128_GCM_SHA256 (or, how to set TLSv1.3 ciphers) in postfix
I have the following in my TLS configuration, but the only problem I have is that TLS_AES_128_GCM_SHA256 is a 128 bit cipher, and I would like to remove it:
smtpd_tls_eecdh_grade = ultra
...
user549144
0
votes
0
answers
267
views
How can I use this same Cipher suite on Dovecot?
I have the following cipher suite on Apache:
#TLSv1.3
SSLCipherSuite TLSv1.3 TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
#TLSv1.2
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-...
user549144
5
votes
1
answer
2k
views
How to disable AES128 in Apache?
I am using the following cipher, which I keep updating today, don't worry if there is any incompletion in it. Just help me disable AES128.
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:!AES128
It is ...
user549144
1
vote
0
answers
2k
views
SSL Cipher Suites in nginx do not match SSL Labs
I am trying to install this plugin on Wordpress which fails to communicate with my server, and the plugin developer says it's because my cipher suites don't match their requirement. https://www....
- 11
0
votes
0
answers
885
views
Cipher names (ipsec)
I've got this in my syslog
470 Nov 22 11:32:23 mini31 ipsec[8820]: 13[IKE] 192.168.1.7 is initiating a Main Mode IKE_SA
471 Nov 22 11:32:23 mini31 ipsec[8820]: 13[CFG] received proposals: IKE:...
2
votes
1
answer
9k
views
Windows Server 2012 R2 - Adding Cipher
this might be a complete newbee question.
I have an 2012 R2 Server on which an application should call a partner who only offers the following ciphers:
(0xc02f) TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ...
- 53
2
votes
2
answers
16k
views
How do I disable just one cipher out of OpenSSL TLSv1.3 list?
I use Nginx + Let's Encrypt with OpenSSL on my server. I wanted to use TLSv1.2 and TLSv1.3. But I wanted to use very specific SSL ciphers. Specifically:
TLS_AES_256_GCM_SHA384 (TLSv1.3),
...
- 21
0
votes
2
answers
968
views
Need help for TLS1.2 Cipher disabling in RHEL satellite server version - 6.5.2
We need to disable TLS_RSA_WITH_AES_256_GCM_SHA384 running on port 8008 and 9090 .
Below processes are running on ports 8008 and 9090 respectively -
ruby /usr/bin/smart_proxy_dynflow_core -d -p /var/...
- 1
1
vote
3
answers
19k
views
Missing cipher suites on Windows Server 2019
I am using a MEMCM Task Sequence to build servers running Windows Server 2019. So far, I build 22 servers with this OS. At the end of OSD, on 20 of them I have only 10 cipher suites available for use.
...
- 21
1
vote
1
answer
1k
views
How to avoid use of medium strength ciphers in WAS liberty server with openJDK 1.8
Good day,
I have a IBM WAS liberty server, which is place under OS redhat linux, with openjdk version 1.8.0_242.
I receive a pentest report that complain about this server is using medium strength ...
- 153
5
votes
1
answer
18k
views
How can I disable TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 cipher in Apache2?
In SSL labs, I got that I'm using this "weak cipher":
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Now in Apache, this is the set of suites I have enabled:
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:...
1
vote
1
answer
647
views
Missing openssl cipher-algorithms on specific VMs/Hoster
I'm trying to use AES-128-CBC-HMAC-SHA256 but this cipher-algorithm isn't available on a VM on a specific hosting provider.
The OS, installed packages, Kernel, openssl version, and the like are the ...
- 13
1
vote
1
answer
165
views
SSLCipherSuite - more precise definition, need only strong ciphers
The Apache documentation of SSLCipherSuite seems a little vague and the examples I found on the web make it much worse. I see a lot of references to "all", long lists of specific ciphers and lots of "...
- 87
0
votes
1
answer
176
views
ADFS stop working
So I tried to secure our domain controllers with a narrowed list of Ciphers and now the Office 365 ADFS is broken for Chrome and Firefox. I need some help trying to figure out how to put it back. I ...
- 45
0
votes
1
answer
3k
views
Disabling the AES cipher suites without ECDHE key exchange algorithm
Currently, we are having below cipher suites used in our platform.
AES128-GCM-SHA256
AES128-SHA256
AES128-SHA
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES128-SHA
Post ...
- 3
2
votes
2
answers
11k
views
Disable weak Cipher ubuntu 16
I have started security scanning my network and have issues with Ubuntu 16 and weak cipher suites. I think I found the sshd config. but everything I read on the TLS for apache tells me to go to /etc/...
- 45
0
votes
1
answer
4k
views
connecting to a FTP by TLS fails from one client, but succeeds from the other
Trying to connect from client2 using the following string works:
client2@client2 curl -v --ssl -u 'user:password' ftp://www.example.com:21
* Rebuilt URL to: ftp://www.example.com:21/
* Trying 192....
- 115
0
votes
0
answers
2k
views
Log Client Ciphersuite in HAProxy
We know of log configurations that can log negotiated cipher-suite info in successful connections.
But what we need to do is to log the client cipher-suite info that HAProxy gets hold of during TLS ...
- 125
3
votes
1
answer
6k
views
Postfix 2.6.6 with TLS - unable to receive emails from GMail (and a couple of other MTAs) but others are OK, why?
I've just had to look at a CentOS 6 server running Postfix 2.6.6 which was able to send emails to everyone, but could not receive them from GMail (and a few other MTAs) due to incoming TLS negotiation ...
- 398
1
vote
1
answer
1k
views
Websphere MQ 7.0.1-14 - able to add missing ssl cipher suites?
I have to connect to a MQ 9 QMGR, which does not allow the available Cipher Suites I can choose from in MQ Explorer that is part of my 7.0.1-14 installation (Linux x86_64).
Can I add the needed ...
- 47
1
vote
2
answers
2k
views
Reclaim deleted space on SAN from thin provisioned LUN with zeros on Windows
Dear Data Storage Experts,
We are using a SAN attached thin-provisioned LUN on Physical Windows machine from a storage vendor. Storage chargeback is based on high watermark (deleted space not ...
- 45
3
votes
3
answers
28k
views
Disabling weak protocols and ciphers in Centos with Apache
Can anyone help me determine hat could be the reason I am still getting VA gaps from scanner for the following? My server hosts multiple web app, but I am using the same settings for all virtual hosts....
0
votes
2
answers
211
views
Apapche web server redirect unsupported ciphers to http?
We will be turning off support for browsers that only support TLS1.0
When we turn off support for TLS 1.0 on our web server can we redirect browsers that don't support TLS 1.1 or higher to a http ...
- 31
0
votes
2
answers
4k
views
How to handle cipher suite mismatch between two servers
I have an IIS website running on two servers. One server is Windows Server 2016, the other Windows Server 2012. Under certain circumstances these two servers need to talk to each other.
The ...
- 818
1
vote
0
answers
832
views
Troubleshooting Cipher handshake issue
All right, so I have work with our networking engineers and it just appears that nobody is able to figure this issue out and so I'm all out of options as I have attempted to Google research this issue ...
3
votes
0
answers
484
views
Apache TrafficServer as reverse proxy gives empty cipher list
I am trying to setup Apache Trafficserver as a reverse proxy.
(Debian Stretch, ATS 7.0.0 (also tried 7.1.2 from backports), openssl 1.1.0f)
Everything went fine so far, until I came accross ...
- 31