Skip to main content

Questions tagged [cipher]

The tag has no usage guidance.

Filter by
Sorted by
Tagged with
5 votes
1 answer
2k views

How to disable AES128 in Apache?

I am using the following cipher, which I keep updating today, don't worry if there is any incompletion in it. Just help me disable AES128. SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:!AES128 It is ...
user avatar
5 votes
1 answer
18k views

How can I disable TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 cipher in Apache2?

In SSL labs, I got that I'm using this "weak cipher": TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 Now in Apache, this is the set of suites I have enabled: SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:...
The Quantum Physicist's user avatar
3 votes
3 answers
27k views

Disabling weak protocols and ciphers in Centos with Apache

Can anyone help me determine hat could be the reason I am still getting VA gaps from scanner for the following? My server hosts multiple web app, but I am using the same settings for all virtual hosts....
Chyornaya Vdova's user avatar
3 votes
1 answer
6k views

Postfix 2.6.6 with TLS - unable to receive emails from GMail (and a couple of other MTAs) but others are OK, why?

I've just had to look at a CentOS 6 server running Postfix 2.6.6 which was able to send emails to everyone, but could not receive them from GMail (and a few other MTAs) due to incoming TLS negotiation ...
Chris Woods's user avatar
3 votes
1 answer
1k views

What dictates the available Cipher Suites in GlassFish and Payara?

I have the same version of Payara Server (4.1.1.154) running on two different machines. I do not have the same list of available cipher suites between the two. What determines the available cipher ...
Blegger's user avatar
  • 272
3 votes
0 answers
472 views

Apache TrafficServer as reverse proxy gives empty cipher list

I am trying to setup Apache Trafficserver as a reverse proxy. (Debian Stretch, ATS 7.0.0 (also tried 7.1.2 from backports), openssl 1.1.0f) Everything went fine so far, until I came accross ...
chrikru's user avatar
  • 31
3 votes
0 answers
4k views

Scan Ciphers on FTPS port

I'm trying to remove RC4 ciphers per BEAST, but I'm having trouble verifying that there are ciphers available on my FTPS ports. NMAP returns the cert on the port, but doesn't say anything about the ...
Buzkie's user avatar
  • 205
2 votes
2 answers
14k views

How do I disable just one cipher out of OpenSSL TLSv1.3 list?

I use Nginx + Let's Encrypt with OpenSSL on my server. I wanted to use TLSv1.2 and TLSv1.3. But I wanted to use very specific SSL ciphers. Specifically: TLS_AES_256_GCM_SHA384 (TLSv1.3), ...
Hadi's user avatar
  • 21
2 votes
3 answers
10k views

Postfix not using TLS ciphers it is supposed to use

I can't receive emails from certain hosts because of a no shared cipher error: postfix/smtpd[15934]: warning: TLS library problem: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher:...
Finn's user avatar
  • 229
2 votes
1 answer
6k views

How To Disable Weak Cipher Suites Only For TLS 1.0 and 1.1 In Windows?

I want to disable some weak cipher suites in Windows but TLS 1.2 is not so vulnerable and I don't want to cause any other problem in the server, so I just want to disable them for TLS 1.0 and 1.1. ...
Sahin's user avatar
  • 119
2 votes
1 answer
12k views

How to disable TLS_AES_128_GCM_SHA256 (or, how to set TLSv1.3 ciphers) in postfix

I have the following in my TLS configuration, but the only problem I have is that TLS_AES_128_GCM_SHA256 is a 128 bit cipher, and I would like to remove it: smtpd_tls_eecdh_grade = ultra ...
user avatar
2 votes
2 answers
11k views

Disable weak Cipher ubuntu 16

I have started security scanning my network and have issues with Ubuntu 16 and weak cipher suites. I think I found the sshd config. but everything I read on the TLS for apache tells me to go to /etc/...
Brill's user avatar
  • 45
2 votes
1 answer
3k views

How to disable TLS v1.1 in Nginx [closed]

It seems to be a straightforward configuration setting, but I cannot disable TLSv1.1. nginx.conf in /etc/nginx: ssl_protocols TLSv1.2; Domain configuration last_nginx.conf (changed via Plesk ...
user2723490's user avatar
2 votes
0 answers
501 views

DTLS Cipher Suites in Windows

I have a very specific question about DTLS and Windows that I can't seem to find on Google. At our company we recently decided to disable specific cipher suites for TLS and only allow the most secure ...
MasteOfDisaste's user avatar
1 vote
2 answers
5k views

TLS 1.2 with RSA vs ECDSA Ciphers

Microsoft has reported that it will only support TLS 1.2 with at least one of the following ciphers: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ...
Jonathan Montgomery's user avatar
1 vote
3 answers
16k views

Missing cipher suites on Windows Server 2019

I am using a MEMCM Task Sequence to build servers running Windows Server 2019. So far, I build 22 servers with this OS. At the end of OSD, on 20 of them I have only 10 cipher suites available for use. ...
Tuttu's user avatar
  • 21
1 vote
1 answer
604 views

OpenConnect force clients to use special cipher

I use ocserv on Centos as Openconnect VPN and I use config file for setting up the server I need to force clients to use special cipher like AES-256-GCM because it seems that VPN blocks on some 4G net ...
Farhad Sakhaei's user avatar
1 vote
1 answer
8k views

Windows Server 2012 R2 - Adding Cipher

this might be a complete newbee question. I have an 2012 R2 Server on which an application should call a partner who only offers the following ciphers: (0xc02f) TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ...
Moritz's user avatar
  • 43
1 vote
1 answer
695 views

Centos/Fedora cipher suites [closed]

I created a self signed certificate on my Fedora CLI server using the openssl command openssl req -x509 -sha256 -newkey rsa:2048 -nodes -keyout key.pem -out cert.pem -days 100 From my understanding, ...
james b's user avatar
  • 11
1 vote
1 answer
257 views

How to **keep** my SSLCipherSuite list for my LAMP stack current?

I have been running several LAMP servers for 5+ years with Let's Encrypt certs. Today, I did the SSL test by Qualys https://www.ssllabs.com/ssltest/index.html to learn that I had lost my coveted A+ ...
wruckie's user avatar
  • 697
1 vote
1 answer
4k views

ssh sftp which cipher is used

on a debian shell i can connect to a sftp by: ( connection established, i see the sftp prompt ) sftp -i /keys/mykey [email protected] i want to change to sftp -oCiphers=aes256-ctr -i /keys/mykey [email protected]....
FatFreddy's user avatar
  • 125
1 vote
2 answers
6k views

How To Add Additional Cipher Suites to A Java Application Server?

I'm running into a bit of a pickle with a call to a third-party API from a java application. The external API requires at least one of the following ciphers: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ...
pbuchheit's user avatar
  • 171
1 vote
1 answer
1k views

How to avoid use of medium strength ciphers in WAS liberty server with openJDK 1.8

Good day, I have a IBM WAS liberty server, which is place under OS redhat linux, with openjdk version 1.8.0_242. I receive a pentest report that complain about this server is using medium strength ...
Panadol Chong's user avatar
1 vote
1 answer
611 views

Missing openssl cipher-algorithms on specific VMs/Hoster

I'm trying to use AES-128-CBC-HMAC-SHA256 but this cipher-algorithm isn't available on a VM on a specific hosting provider. The OS, installed packages, Kernel, openssl version, and the like are the ...
Erik's user avatar
  • 13
1 vote
2 answers
2k views

Reclaim deleted space on SAN from thin provisioned LUN with zeros on Windows

Dear Data Storage Experts, We are using a SAN attached thin-provisioned LUN on Physical Windows machine from a storage vendor. Storage chargeback is based on high watermark (deleted space not ...
Makhu's user avatar
  • 45
1 vote
1 answer
2k views

Adding Ciphers to Server 2012 R2

I need to add the following Ciphers to my server: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 I found the following article: https://docs.microsoft.com/en-us/windows-...
JustAGuy's user avatar
  • 649
1 vote
0 answers
313 views

Are there any Operating Systems or Browsers that still depend on having these Ciphers enabled?

Doing a litle Cryptography Research and hit a case of conflicting data so wanted to try here. I'm running a Web Service and currently support these 2 Ciphers: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0X9F)...
Adamski2505's user avatar
1 vote
0 answers
1k views

SSL Cipher Suites in nginx do not match SSL Labs

I am trying to install this plugin on Wordpress which fails to communicate with my server, and the plugin developer says it's because my cipher suites don't match their requirement. https://www....
Jamie Sutton's user avatar
1 vote
1 answer
146 views

SSLCipherSuite - more precise definition, need only strong ciphers

The Apache documentation of SSLCipherSuite seems a little vague and the examples I found on the web make it much worse. I see a lot of references to "all", long lists of specific ciphers and lots of "...
Senior Geek's user avatar
1 vote
1 answer
1k views

Websphere MQ 7.0.1-14 - able to add missing ssl cipher suites?

I have to connect to a MQ 9 QMGR, which does not allow the available Cipher Suites I can choose from in MQ Explorer that is part of my 7.0.1-14 installation (Linux x86_64). Can I add the needed ...
sebkoe's user avatar
  • 47
1 vote
0 answers
745 views

Troubleshooting Cipher handshake issue

All right, so I have work with our networking engineers and it just appears that nobody is able to figure this issue out and so I'm all out of options as I have attempted to Google research this issue ...
Ryan Wakefield's user avatar
1 vote
1 answer
688 views

Best practice: Wowza SSL Configuration

Screenshot: Server with Wowza running using a SSL certificate with basis configuration I get this result from the SSLLabs with the default configuration (see screenshot). The only places I can change ...
Thomas Ebert's user avatar
1 vote
1 answer
458 views

RHEL ports not using same cipher

[UPDATE] I ran the openssl command from a couple servers and my local machine. It seems like port 9443 is not remaining consistent. The cipher on server1:9443 remained the same from the first server (...
Ian's user avatar
  • 71
1 vote
0 answers
527 views

Configure VPN ciphers on Mac OS Server

I'm trying to harden the L2TP/IPSec VPN on an El Capitan server. All the resources I can find either just walk you through the basic setup (adding a shared key, etc.) or are for third-party servers. ...
CBHacking's user avatar
  • 221
1 vote
1 answer
528 views

Adobe ExtendScript http request fails: no shared cipher

For my Adobe CEP project I try to call to a REST API over https from the Javascript side: var xmlhttp = new XMLHttpRequest(); xmlhttp.open('GET', 'https://***/api/books', true); xmlhttp....
Jens's user avatar
  • 121
1 vote
0 answers
90 views

What is the correct way to secure a user directory with EFS not in a domain network?

Logged in as an administrator on a Windows 10 machine. cipher /E /A /S:C:\Users\MYUSER or cipher /E C:\Users\MYUSER I've read and been told that the bottom one is the correct way. End result: ...
user3287817's user avatar
0 votes
1 answer
3k views

Disabling the AES cipher suites without ECDHE key exchange algorithm

Currently, we are having below cipher suites used in our platform. AES128-GCM-SHA256 AES128-SHA256 AES128-SHA ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA Post ...
chandu's user avatar
  • 3
0 votes
1 answer
2k views

Disable SHA1 now Firefox won't work

I've been tasked to get our site into PCI compliance by disabling SHA1 on the server. I am accomplishing this by using IIS Crypto 2.0. We decided to also go with just TLS 1.2. the specific problem I ...
scripter78's user avatar
0 votes
2 answers
208 views

Apapche web server redirect unsupported ciphers to http?

We will be turning off support for browsers that only support TLS1.0 When we turn off support for TLS 1.0 on our web server can we redirect browsers that don't support TLS 1.1 or higher to a http ...
Curious User's user avatar
0 votes
1 answer
3k views

Forward secrecy support?

Is it possible to amend the SSL ciphers to support forward secrecy on my CentOS server running Apache 2.4? I currently have the following cipher setup: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-...
Liam McArthur's user avatar
0 votes
3 answers
285 views

How to list all HTTP Cyphers a client supports

I have a HTTPS client (a GSM modem) where I need to know the supported ciphers to configure my nginx. But the requests just fail and are not even listed in my nginx log. Is there a simple way to ...
Tarion's user avatar
  • 113
0 votes
1 answer
850 views

Disable TLSv1.0 and TLSv1.1 when generating certificates using openssl 1.1.1

I am struggling to implement a feature for my certificates. I am generating my certificates with OPENSSL 1.1.1. I want to allow only TLSv1.2 and TLSv1.3. The other protocols should not be possible (...
gboltonrp's user avatar
0 votes
1 answer
956 views

HaProxy - Does prefer-client-ciphers mean the client can choose a cipher not supported by a server?

Considering a setup like this: global # intermediate configuration ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-...
KoenDG's user avatar
  • 147
0 votes
2 answers
491 views

How to get Cipher details from .ppk file

Is it possible to get the Cipher name from .ppk file? For e.g. name like TLS-CHACHA20-POLY1305-SHA256 or ECDHE-ECDSA-AES256-GCM-SHA384 Edit: Based on the responses in answers and comments, it seems I ...
404's user avatar
  • 103
0 votes
1 answer
7k views

Should I configure Ciphersuites on openssl after setting MinProtocol and CipherString?

Current OpenSSL version OpenSSL 1.1.1d 10 Sep 2019 (Library: OpenSSL 1.1.1g 21 Apr 2020) Current openssl.cnf configuration At the top of the file openssl_conf = default_conf At the bottom of the ...
Elvex's user avatar
  • 227
0 votes
1 answer
3k views

connecting to a FTP by TLS fails from one client, but succeeds from the other

Trying to connect from client2 using the following string works: client2@client2 curl -v --ssl -u 'user:password' ftp://www.example.com:21 * Rebuilt URL to: ftp://www.example.com:21/ * Trying 192....
catalin's user avatar
  • 115
0 votes
2 answers
5k views

Windows, IIS, Remote Desktop: after disabling insecure ciphers for ssl, I cannot login with remote desktop [closed]

In the process of setting up an HTTPS website and in the best practices of it, firstly I disabled ssl v3 (no problem with that) and then I disabled older insecure ciphers and only enabled: ...
MirrorMirror's user avatar
0 votes
1 answer
2k views

Ubuntu Key Exchange Algo

I am trying to test the connectivity to several network devices, with Ansible installed on Ubuntu 20.04.2 LTS, using ansible ad-hoc. The problem: SSH is not working as the device's key exchange method ...
Omera's user avatar
  • 15
0 votes
2 answers
4k views

How to handle cipher suite mismatch between two servers

I have an IIS website running on two servers. One server is Windows Server 2016, the other Windows Server 2012. Under certain circumstances these two servers need to talk to each other. The ...
Vincent's user avatar
  • 818
0 votes
1 answer
299 views

Ciphersuite Priority And Handshake

I ran a program called cipherscan, against 2 servers that communicate with each other via TLS. Cipherscan prints details about each server's TLS capabilities. Given the data, I'm wondering how to ...
Special Monkey's user avatar