Questions tagged [cipher]
The cipher tag has no usage guidance.
72
questions
5
votes
1
answer
2k
views
How to disable AES128 in Apache?
I am using the following cipher, which I keep updating today, don't worry if there is any incompletion in it. Just help me disable AES128.
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:!AES128
It is ...
5
votes
1
answer
18k
views
How can I disable TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 cipher in Apache2?
In SSL labs, I got that I'm using this "weak cipher":
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Now in Apache, this is the set of suites I have enabled:
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:...
3
votes
3
answers
27k
views
Disabling weak protocols and ciphers in Centos with Apache
Can anyone help me determine hat could be the reason I am still getting VA gaps from scanner for the following? My server hosts multiple web app, but I am using the same settings for all virtual hosts....
3
votes
1
answer
6k
views
Postfix 2.6.6 with TLS - unable to receive emails from GMail (and a couple of other MTAs) but others are OK, why?
I've just had to look at a CentOS 6 server running Postfix 2.6.6 which was able to send emails to everyone, but could not receive them from GMail (and a few other MTAs) due to incoming TLS negotiation ...
3
votes
1
answer
1k
views
What dictates the available Cipher Suites in GlassFish and Payara?
I have the same version of Payara Server (4.1.1.154) running on two different machines. I do not have the same list of available cipher suites between the two. What determines the available cipher ...
3
votes
0
answers
472
views
Apache TrafficServer as reverse proxy gives empty cipher list
I am trying to setup Apache Trafficserver as a reverse proxy.
(Debian Stretch, ATS 7.0.0 (also tried 7.1.2 from backports), openssl 1.1.0f)
Everything went fine so far, until I came accross ...
3
votes
0
answers
4k
views
Scan Ciphers on FTPS port
I'm trying to remove RC4 ciphers per BEAST, but I'm having trouble verifying that there are ciphers available on my FTPS ports. NMAP returns the cert on the port, but doesn't say anything about the ...
2
votes
2
answers
14k
views
How do I disable just one cipher out of OpenSSL TLSv1.3 list?
I use Nginx + Let's Encrypt with OpenSSL on my server. I wanted to use TLSv1.2 and TLSv1.3. But I wanted to use very specific SSL ciphers. Specifically:
TLS_AES_256_GCM_SHA384 (TLSv1.3),
...
2
votes
3
answers
10k
views
Postfix not using TLS ciphers it is supposed to use
I can't receive emails from certain hosts because of a no shared cipher error:
postfix/smtpd[15934]: warning: TLS library problem: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher:...
2
votes
1
answer
6k
views
How To Disable Weak Cipher Suites Only For TLS 1.0 and 1.1 In Windows?
I want to disable some weak cipher suites in Windows but TLS 1.2 is not so vulnerable and I don't want to cause any other problem in the server, so I just want to disable them for TLS 1.0 and 1.1.
...
2
votes
1
answer
12k
views
How to disable TLS_AES_128_GCM_SHA256 (or, how to set TLSv1.3 ciphers) in postfix
I have the following in my TLS configuration, but the only problem I have is that TLS_AES_128_GCM_SHA256 is a 128 bit cipher, and I would like to remove it:
smtpd_tls_eecdh_grade = ultra
...
2
votes
2
answers
11k
views
Disable weak Cipher ubuntu 16
I have started security scanning my network and have issues with Ubuntu 16 and weak cipher suites. I think I found the sshd config. but everything I read on the TLS for apache tells me to go to /etc/...
2
votes
1
answer
3k
views
How to disable TLS v1.1 in Nginx [closed]
It seems to be a straightforward configuration setting, but I cannot disable TLSv1.1.
nginx.conf in /etc/nginx:
ssl_protocols TLSv1.2;
Domain configuration last_nginx.conf (changed via Plesk ...
2
votes
0
answers
501
views
DTLS Cipher Suites in Windows
I have a very specific question about DTLS and Windows that I can't seem to find on Google. At our company we recently decided to disable specific cipher suites for TLS and only allow the most secure ...
1
vote
2
answers
5k
views
TLS 1.2 with RSA vs ECDSA Ciphers
Microsoft has reported that it will only support TLS 1.2 with at least one of the following ciphers:
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
...
1
vote
3
answers
16k
views
Missing cipher suites on Windows Server 2019
I am using a MEMCM Task Sequence to build servers running Windows Server 2019. So far, I build 22 servers with this OS. At the end of OSD, on 20 of them I have only 10 cipher suites available for use.
...
1
vote
1
answer
604
views
OpenConnect force clients to use special cipher
I use ocserv on Centos as Openconnect VPN and I use config file for setting up the server
I need to force clients to use special cipher like AES-256-GCM
because it seems that VPN blocks on some 4G net ...
1
vote
1
answer
8k
views
Windows Server 2012 R2 - Adding Cipher
this might be a complete newbee question.
I have an 2012 R2 Server on which an application should call a partner who only offers the following ciphers:
(0xc02f) TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ...
1
vote
1
answer
695
views
Centos/Fedora cipher suites [closed]
I created a self signed certificate on my Fedora CLI server using the openssl command
openssl req -x509 -sha256 -newkey rsa:2048 -nodes -keyout key.pem -out cert.pem -days 100
From my understanding, ...
1
vote
1
answer
257
views
How to **keep** my SSLCipherSuite list for my LAMP stack current?
I have been running several LAMP servers for 5+ years with Let's Encrypt certs.
Today, I did the SSL test by Qualys https://www.ssllabs.com/ssltest/index.html to learn that I had lost my coveted A+ ...
1
vote
1
answer
4k
views
ssh sftp which cipher is used
on a debian shell i can connect to a sftp by: ( connection established, i see the sftp prompt )
sftp -i /keys/mykey [email protected]
i want to change to
sftp -oCiphers=aes256-ctr -i /keys/mykey [email protected]....
1
vote
2
answers
6k
views
How To Add Additional Cipher Suites to A Java Application Server?
I'm running into a bit of a pickle with a call to a third-party API from a java application. The external API requires at least one of the following ciphers:
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
...
1
vote
1
answer
1k
views
How to avoid use of medium strength ciphers in WAS liberty server with openJDK 1.8
Good day,
I have a IBM WAS liberty server, which is place under OS redhat linux, with openjdk version 1.8.0_242.
I receive a pentest report that complain about this server is using medium strength ...
1
vote
1
answer
611
views
Missing openssl cipher-algorithms on specific VMs/Hoster
I'm trying to use AES-128-CBC-HMAC-SHA256 but this cipher-algorithm isn't available on a VM on a specific hosting provider.
The OS, installed packages, Kernel, openssl version, and the like are the ...
1
vote
2
answers
2k
views
Reclaim deleted space on SAN from thin provisioned LUN with zeros on Windows
Dear Data Storage Experts,
We are using a SAN attached thin-provisioned LUN on Physical Windows machine from a storage vendor. Storage chargeback is based on high watermark (deleted space not ...
1
vote
1
answer
2k
views
Adding Ciphers to Server 2012 R2
I need to add the following Ciphers to my server:
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
I found the following article:
https://docs.microsoft.com/en-us/windows-...
1
vote
0
answers
313
views
Are there any Operating Systems or Browsers that still depend on having these Ciphers enabled?
Doing a litle Cryptography Research and hit a case of conflicting data so wanted to try here.
I'm running a Web Service and currently support these 2 Ciphers:
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0X9F)...
1
vote
0
answers
1k
views
SSL Cipher Suites in nginx do not match SSL Labs
I am trying to install this plugin on Wordpress which fails to communicate with my server, and the plugin developer says it's because my cipher suites don't match their requirement. https://www....
1
vote
1
answer
146
views
SSLCipherSuite - more precise definition, need only strong ciphers
The Apache documentation of SSLCipherSuite seems a little vague and the examples I found on the web make it much worse. I see a lot of references to "all", long lists of specific ciphers and lots of "...
1
vote
1
answer
1k
views
Websphere MQ 7.0.1-14 - able to add missing ssl cipher suites?
I have to connect to a MQ 9 QMGR, which does not allow the available Cipher Suites I can choose from in MQ Explorer that is part of my 7.0.1-14 installation (Linux x86_64).
Can I add the needed ...
1
vote
0
answers
745
views
Troubleshooting Cipher handshake issue
All right, so I have work with our networking engineers and it just appears that nobody is able to figure this issue out and so I'm all out of options as I have attempted to Google research this issue ...
1
vote
1
answer
688
views
Best practice: Wowza SSL Configuration
Screenshot: Server with Wowza running using a SSL certificate with basis configuration
I get this result from the SSLLabs with the default configuration (see screenshot). The only places I can change ...
1
vote
1
answer
458
views
RHEL ports not using same cipher
[UPDATE]
I ran the openssl command from a couple servers and my local machine. It seems like port 9443 is not remaining consistent. The cipher on server1:9443 remained the same from the first server (...
1
vote
0
answers
527
views
Configure VPN ciphers on Mac OS Server
I'm trying to harden the L2TP/IPSec VPN on an El Capitan server. All the resources I can find either just walk you through the basic setup (adding a shared key, etc.) or are for third-party servers. ...
1
vote
1
answer
528
views
Adobe ExtendScript http request fails: no shared cipher
For my Adobe CEP project I try to call to a REST API over https from the Javascript side:
var xmlhttp = new XMLHttpRequest();
xmlhttp.open('GET', 'https://***/api/books', true);
xmlhttp....
1
vote
0
answers
90
views
What is the correct way to secure a user directory with EFS not in a domain network?
Logged in as an administrator on a Windows 10 machine.
cipher /E /A /S:C:\Users\MYUSER
or
cipher /E C:\Users\MYUSER
I've read and been told that the bottom one is the correct way.
End result: ...
0
votes
1
answer
3k
views
Disabling the AES cipher suites without ECDHE key exchange algorithm
Currently, we are having below cipher suites used in our platform.
AES128-GCM-SHA256
AES128-SHA256
AES128-SHA
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES128-SHA
Post ...
0
votes
1
answer
2k
views
Disable SHA1 now Firefox won't work
I've been tasked to get our site into PCI compliance by disabling SHA1 on the server. I am accomplishing this by using IIS Crypto 2.0. We decided to also go with just TLS 1.2. the specific problem I ...
0
votes
2
answers
208
views
Apapche web server redirect unsupported ciphers to http?
We will be turning off support for browsers that only support TLS1.0
When we turn off support for TLS 1.0 on our web server can we redirect browsers that don't support TLS 1.1 or higher to a http ...
0
votes
1
answer
3k
views
Forward secrecy support?
Is it possible to amend the SSL ciphers to support forward secrecy on my CentOS server running Apache 2.4? I currently have the following cipher setup:
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-...
0
votes
3
answers
285
views
How to list all HTTP Cyphers a client supports
I have a HTTPS client (a GSM modem) where I need to know the supported ciphers to configure my nginx. But the requests just fail and are not even listed in my nginx log.
Is there a simple way to ...
0
votes
1
answer
850
views
Disable TLSv1.0 and TLSv1.1 when generating certificates using openssl 1.1.1
I am struggling to implement a feature for my certificates. I am generating my certificates with OPENSSL 1.1.1.
I want to allow only TLSv1.2 and TLSv1.3. The other protocols should not be possible (...
0
votes
1
answer
956
views
HaProxy - Does prefer-client-ciphers mean the client can choose a cipher not supported by a server?
Considering a setup like this:
global
# intermediate configuration
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-...
0
votes
2
answers
491
views
How to get Cipher details from .ppk file
Is it possible to get the Cipher name from .ppk file?
For e.g. name like TLS-CHACHA20-POLY1305-SHA256 or ECDHE-ECDSA-AES256-GCM-SHA384
Edit: Based on the responses in answers and comments, it seems I ...
0
votes
1
answer
7k
views
Should I configure Ciphersuites on openssl after setting MinProtocol and CipherString?
Current OpenSSL version
OpenSSL 1.1.1d 10 Sep 2019 (Library: OpenSSL 1.1.1g 21 Apr 2020)
Current openssl.cnf configuration
At the top of the file
openssl_conf = default_conf
At the bottom of the ...
0
votes
1
answer
3k
views
connecting to a FTP by TLS fails from one client, but succeeds from the other
Trying to connect from client2 using the following string works:
client2@client2 curl -v --ssl -u 'user:password' ftp://www.example.com:21
* Rebuilt URL to: ftp://www.example.com:21/
* Trying 192....
0
votes
2
answers
5k
views
Windows, IIS, Remote Desktop: after disabling insecure ciphers for ssl, I cannot login with remote desktop [closed]
In the process of setting up an HTTPS website and in the best practices of it, firstly I disabled ssl v3 (no problem with that) and then I disabled older insecure ciphers and only enabled:
...
0
votes
1
answer
2k
views
Ubuntu Key Exchange Algo
I am trying to test the connectivity to several network devices, with Ansible installed on Ubuntu 20.04.2 LTS, using ansible ad-hoc.
The problem:
SSH is not working as the device's key exchange method ...
0
votes
2
answers
4k
views
How to handle cipher suite mismatch between two servers
I have an IIS website running on two servers. One server is Windows Server 2016, the other Windows Server 2012. Under certain circumstances these two servers need to talk to each other.
The ...
0
votes
1
answer
299
views
Ciphersuite Priority And Handshake
I ran a program called cipherscan, against 2 servers that communicate with each other via TLS.
Cipherscan prints details about each server's TLS capabilities. Given the data, I'm wondering how to ...