Forum Discussion
fmalik
Nimbostratus
NimbostratusWeak Ciphers Removal
Hi, In order to get good grades we have been asked to remove weak ciphers in TLS 1.2 and also add TLS 1.3 in our Production environemnt. But we are affraid if removing weak ciphers make any imapct o...
Kai_Wilke
MVP
MVPhi Fmalik,
The "required" Ciphers Spec could be rated as most secure with little down level support.
Slighly more compatible Chiper Specs may still add TLS_ECDHE_RSA_WITH_AES_X_CBC_SHA_X Ciphers for legacy clients, but placed at the very buttom of the Cipher List. The result will be still A+ rating (when combined with HSTS) but with added support for slightly older user-agents.
Below is a cipher spec I'm using on public sites where SSL-Labs rating and support for down-level clients is a concern. Its gets a straight A+ rating...
... and still supports many older user-agents (see below)
The user-agents which are not supported by this cipher spec are listed below...
Cheers, Kai