0

We're running an Ubuntu VM on Azure and a pen test has said that the CBC ciphers are now obsolete and should not be used. I've updated my nginx config but the SSL labs test is claiming that they are still there.

SSL Labs screenshot

My nginx config, where the only ciphers showing are the ones that are green in the screenshot

 ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256; ssl_prefer_server_ciphers off; server_tokens off; ssl_ecdh_curve secp521r1:secp384r1; # OCSP stapling ssl_stapling on; ssl_stapling_verify on;

Why would SSL Labs still be claiming that the site has the weak CBC ciphers available?

Improve this question
4
  • Try ssl-config.mozilla.org Commented Jul 1 at 12:28
  • 1
    Are you sure that you actually measure what you have configured? Possible reasons why this might not be the case: server not restarted after reconfigure, TLS settings in other parts of the config (default config, other virtual hosts), reverse proxy in front of your server so that you measure this reverse proxy, ... Commented Jul 1 at 13:15
  • 1
    @SteffenUllrich the domain is managed and proxied through Cloudflare, so it may their server that's being measured rather than ours. Commented Jul 1 at 14:20
  • 1
    @DavidKelly: Correct. If Cloudflare is in front of it, it will terminate the TLS traffic. Therefore you measure cloudflare. Commented Jul 1 at 15:07

0

Reset to default

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.