Forum Discussion
fmalik
Nimbostratus
NimbostratusWeak Ciphers Removal
Hi, In order to get good grades we have been asked to remove weak ciphers in TLS 1.2 and also add TLS 1.3 in our Production environemnt. But we are affraid if removing weak ciphers make any imapct o...
I have used this for a very strong CIPHERS to mitigate many vulnerabilities, you can customize it according to your need:
[root@TEST-LAB-04:Active:In Sync] ~ # tmm --clientciphers 'DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:!ADH:!IDEA:!3DES:@STRENGHT'
ID SUITE BITS PROT CIPHER MAC KEYX
0: 159 DHE-RSA-AES256-GCM-SHA384 256 TLS1.2 AES-GCM SHA384 EDH/RSA
1: 159 DHE-RSA-AES256-GCM-SHA384 256 DTLS1.2 AES-GCM SHA384 EDH/RSA
2: 158 DHE-RSA-AES128-GCM-SHA256 128 TLS1.2 AES-GCM SHA256 EDH/RSA
3: 158 DHE-RSA-AES128-GCM-SHA256 128 DTLS1.2 AES-GCM SHA256 EDH/RSA
4: 49200 ECDHE-RSA-AES256-GCM-SHA384 256 TLS1.2 AES-GCM SHA384 ECDHE_RSA
5: 49200 ECDHE-RSA-AES256-GCM-SHA384 256 DTLS1.2 AES-GCM SHA384 ECDHE_RSA
6: 49199 ECDHE-RSA-AES128-GCM-SHA256 128 TLS1.2 AES-GCM SHA256 ECDHE_RSA
7: 49199 ECDHE-RSA-AES128-GCM-SHA256 128 DTLS1.2 AES-GCM SHA256 ECDHE_RSA
8: 107 DHE-RSA-AES256-SHA256 256 TLS1.2 AES SHA256 EDH/RSA
9: 107 DHE-RSA-AES256-SHA256 256 DTLS1.2 AES SHA256 EDH/RSA
10: 103 DHE-RSA-AES128-SHA256 128 TLS1.2 AES SHA256 EDH/RSA
11: 103 DHE-RSA-AES128-SHA256 128 DTLS1.2 AES SHA256 EDH/RSA
12: 49192 ECDHE-RSA-AES256-SHA384 256 TLS1.2 AES SHA384 ECDHE_RSA
13: 49192 ECDHE-RSA-AES256-SHA384 256 DTLS1.2 AES SHA384 ECDHE_RSA
14: 49191 ECDHE-RSA-AES128-SHA256 128 TLS1.2 AES SHA256 ECDHE_RSA
15: 49191 ECDHE-RSA-AES128-SHA256 128 DTLS1.2 AES SHA256 ECDHE_RSA
HTH
🙏