weak cryptographic method

[ricki-z]

Result of the test for madavi.de (HTTP)
"… bieten schwache kryptografische Verfahren an (z.B. RC4, 56 Bit, ...)";"1 (100%)";"1 (100%)"
but I can't find a weak cipher in the following lists:

;;;;;"Supported CipherSuites";"All supported CipherSuites by this server";set;1;;;;;"ECDHE_RSA_WITH_AES_128_CBC_SHA256 => 1, ECDHE_RSA_WITH_AES_256_GCM_SHA384 => 1, DHE_RSA_WITH_AES_128_CBC_SHA256 => 1, RSA_WITH_AES_256_CBC_SHA256 => 1, DHE_RSA_WITH_AES_256_CBC_SHA256 => 1, ECDHE_RSA_WITH_AES_256_CBC_SHA384 => 1, DHE_RSA_WITH_AES_128_GCM_SHA256 => 1, RSA_WITH_AES_128_CBC_SHA256 => 1, DHE_RSA_WITH_AES_256_GCM_SHA384 => 1, ECDHE_RSA_WITH_AES_128_GCM_SHA256 => 1, ECDHE_RSA_WITH_AES_128_CBC_SHA => 1, RSA_WITH_AES_128_CBC_SHA => 1, RSA_WITH_AES_128_GCM_SHA256 => 1, RSA_WITH_AES_256_CBC_SHA => 1, RSA_WITH_AES_256_GCM_SHA384 => 1, DHE_RSA_WITH_AES_128_CBC_SHA => 1, DHE_RSA_WITH_AES_256_CBC_SHA => 1, RSA_WITH_3DES_EDE_CBC_SHA => 1, ECDHE_RSA_WITH_AES_256_CBC_SHA => 1"
;;;;;"Supported CipherSuites";"All supported CipherSuites by this server";set;1;;;;;"ECDHE_RSA_WITH_AES_128_CBC_SHA256 => 1, ECDHE_RSA_WITH_AES_256_GCM_SHA384 => 1, DHE_RSA_WITH_AES_128_CBC_SHA256 => 1, DHE_RSA_WITH_AES_128_GCM_SHA256 => 1, ECDHE_RSA_WITH_AES_256_CBC_SHA384 => 1, RSA_WITH_AES_256_CBC_SHA256 => 1, DHE_RSA_WITH_AES_256_CBC_SHA256 => 1, DHE_RSA_WITH_AES_256_GCM_SHA384 => 1, RSA_WITH_AES_128_CBC_SHA256 => 1, ECDHE_RSA_WITH_AES_128_CBC_SHA => 1, ECDHE_RSA_WITH_AES_128_GCM_SHA256 => 1, RSA_WITH_AES_128_CBC_SHA => 1, RSA_WITH_AES_128_GCM_SHA256 => 1, RSA_WITH_AES_256_CBC_SHA => 1, RSA_WITH_AES_256_GCM_SHA384 => 1, DHE_RSA_WITH_AES_128_CBC_SHA => 1, ECDHE_RSA_WITH_AES_256_CBC_SHA => 1, DHE_RSA_WITH_AES_256_CBC_SHA => 1, RSA_WITH_3DES_EDE_CBC_SHA => 1"
;;;;;"Supported CipherSuites";"All supported CipherSuites by this server";set;1;;;;;"DHE_RSA_WITH_AES_128_CBC_SHA256 => 1, RSA_WITH_AES_128_CBC_SHA => 1, DHE_RSA_WITH_3DES_EDE_CBC_SHA => 1, DHE_RSA_WITH_AES_256_GCM_SHA384 => 1, RSA_WITH_3DES_EDE_CBC_SHA => 1, DHE_RSA_WITH_AES_256_CBC_SHA => 1, RSA_WITH_AES_128_CBC_SHA256 => 1, DHE_RSA_WITH_AES_128_GCM_SHA256 => 1, DHE_RSA_WITH_AES_128_CBC_SHA => 1, RSA_WITH_AES_256_GCM_SHA384 => 1, DHE_RSA_WITH_AES_256_CBC_SHA256 => 1, RSA_WITH_AES_128_GCM_SHA256 => 1, RSA_WITH_AES_256_CBC_SHA => 1, RSA_WITH_AES_256_CBC_SHA256 => 1"
;;;;;"Supported CipherSuites";"All supported CipherSuites by this server";set;1;;;;;"RSA_WITH_AES_128_GCM_SHA256 => 1, RSA_WITH_AES_256_CBC_SHA => 1, RSA_WITH_AES_256_GCM_SHA384 => 1, DHE_RSA_WITH_AES_128_CBC_SHA => 1, RSA_WITH_3DES_EDE_CBC_SHA => 1, DHE_RSA_WITH_AES_256_CBC_SHA => 1, ECDHE_RSA_WITH_AES_256_CBC_SHA => 1, ECDHE_RSA_WITH_AES_128_GCM_SHA256 => 1, ECDHE_RSA_WITH_AES_128_CBC_SHA => 1, RSA_WITH_AES_128_CBC_SHA => 1, RSA_WITH_AES_256_CBC_SHA256 => 1, DHE_RSA_WITH_AES_256_CBC_SHA256 => 1, DHE_RSA_WITH_AES_128_GCM_SHA256 => 1, ECDHE_RSA_WITH_AES_256_CBC_SHA384 => 1, RSA_WITH_AES_128_CBC_SHA256 => 1, DHE_RSA_WITH_AES_256_GCM_SHA384 => 1, ECDHE_RSA_WITH_AES_256_GCM_SHA384 => 1, ECDHE_RSA_WITH_AES_128_CBC_SHA256 => 1, DHE_RSA_WITH_AES_128_CBC_SHA256 => 1"
;;;;;"Supported CipherSuites";"All supported CipherSuites by this server";set;1;;;;;"DHE_RSA_WITH_AES_256_GCM_SHA384 => 1, RSA_WITH_AES_128_CBC_SHA256 => 1, ECDHE_RSA_WITH_AES_256_CBC_SHA384 => 1, DHE_RSA_WITH_AES_128_GCM_SHA256 => 1, DHE_RSA_WITH_AES_256_CBC_SHA256 => 1, RSA_WITH_AES_256_CBC_SHA256 => 1, DHE_RSA_WITH_AES_128_CBC_SHA256 => 1, ECDHE_RSA_WITH_AES_256_GCM_SHA384 => 1, ECDHE_RSA_WITH_AES_128_CBC_SHA256 => 1, ECDHE_RSA_WITH_AES_256_CBC_SHA => 1, DHE_RSA_WITH_AES_256_CBC_SHA => 1, RSA_WITH_3DES_EDE_CBC_SHA => 1, RSA_WITH_AES_256_GCM_SHA384 => 1, DHE_RSA_WITH_AES_128_CBC_SHA => 1, RSA_WITH_AES_128_GCM_SHA256 => 1, RSA_WITH_AES_256_CBC_SHA => 1, RSA_WITH_AES_128_CBC_SHA => 1, ECDHE_RSA_WITH_AES_128_CBC_SHA => 1, ECDHE_RSA_WITH_AES_128_GCM_SHA256 => 1"
;;;;;"Supported CipherSuites";"All supported CipherSuites by this server";set;1;;;;;"DHE_RSA_WITH_AES_128_CBC_SHA256 => 1, RSA_WITH_AES_128_CBC_SHA => 1, DHE_RSA_WITH_3DES_EDE_CBC_SHA => 1, DHE_RSA_WITH_AES_256_GCM_SHA384 => 1, RSA_WITH_3DES_EDE_CBC_SHA => 1, RSA_WITH_AES_128_CBC_SHA256 => 1, DHE_RSA_WITH_AES_256_CBC_SHA => 1, DHE_RSA_WITH_AES_128_GCM_SHA256 => 1, DHE_RSA_WITH_AES_128_CBC_SHA => 1, RSA_WITH_AES_256_GCM_SHA384 => 1, DHE_RSA_WITH_AES_256_CBC_SHA256 => 1, RSA_WITH_AES_128_GCM_SHA256 => 1, RSA_WITH_AES_256_CBC_SHA => 1, RSA_WITH_AES_256_CBC_SHA256 => 1"

There are 3DES ciphers in the list for PCI compliance. Are these treated as week (string contains DES)?
The test on ssllab.com gives an "A+".

[alvar-freude]

I think that this is because the CBC cipher suites, e.g. RSA_WITH_AES_128_CBC_SHA; they are vulnerable to the BEAST attack. See comment with link in GetServerProperties.pm, line 275ff

Because BEAST is not a major issue since most clients nowadays are protected against BEAST, this might be changed from weak to medium. But depending on the client it might be still an issue.

You can use check_ciphers_single_domains.pl (bin/check_ciphers_single_domains.pl) to get an overview of a single domain, including detected weak/very weak ciphers. But this script does not print everything which got checked.

I recommend to use the config from Bettercrypto with their default list B for typical servers. The CBC cipher suites are not enabled there, but other so you get compatibility with old browsers (e.g. Android).

[ricki-z]

Please look at Bettercrypto Config A (strong ciphers, fewer clients), list of ciphers:

DHE-RSA-AES256-GCM-SHA384 TLSv1.2 DH RSA AESGCM(256) AEAD
DHE-RSA-AES256-SHA256 TLSv1.2 DH RSA AES(256)(CBC) SHA256
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 ECDH RSA AESGCM(256) AEAD
ECDHE-RSA-AES256-SHA384 TLSv1.2 ECDH RSA AES(256)(CBC) SHA384

2 out of 4 ciphers are CBC ciphers.

Config B (better compatibility) will result in ciphers, which are known to be vulnerable to the BEAST attack. This is (and was) the config I'm using on my server.
Openssl version is 1.0.2g. Result of openssl ciphers -v 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA':

DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256
DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA1
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
ECDHE-RSA-AES256-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1
DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(128) Mac=SHA1
DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
ECDHE-RSA-AES128-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1
CAMELLIA128-SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(128) Mac=SHA1
AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1

So I can choose between a good result in your test (and the IHK study) and no visitors or a config that is working with "common" browsers.

[ricki-z]

Please look at https://www.ssllabs.com/ssltest/analyze.html?d=bettercrypto.org.

Even the config of bettercrypto.org uses TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, which is a weak cipher according to the comment in GetServerProperties.pm .

[ricki-z]

Output of bin/check_ciphers_single_domains.pl bettercrypto.org:
Summary for bettercrypto.org
Supported Cipher Suites at Host bettercrypto.org:
0x0045 DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
0x0033 DHE_RSA_WITH_AES_128_CBC_SHA
0x002F RSA_WITH_AES_128_CBC_SHA
0x009E DHE_RSA_WITH_AES_128_GCM_SHA256
0x0067 DHE_RSA_WITH_AES_128_CBC_SHA256
Supports TLSv1
Supports TLSv1.1
Supports TLSv1.2
Supports at least one Bettercrypto B Cipher Suite
Supports at least one BSI TR-02102-2 Cipher Suite with PFS
Supports at least one BSI TR-02102-2 Cipher Suite with or without PFS
Supports only Bettercrypto B Cipher Suites
Supports no weak or medium Cipher Suites, only high or unknown
Cipher Suite used by Firefox: ECDHE_RSA_WITH_AES_128_GCM_SHA256
Cipher Suite used by Safari: DHE_RSA_WITH_AES_128_CBC_SHA256
Cipher Suite used by Chrome: DHE_RSA_WITH_AES_128_GCM_SHA256
Cipher Suite used by Win 7 (IE 8): ECDHE_RSA_WITH_AES_128_CBC_SHA
Cipher Suite used by Win 10 (IE 11): DHE_RSA_WITH_AES_128_GCM_SHA256
Overall Score for this Host: 265

ECDHE_RSA_WITH_AES_128_CBC_SHA is not listed under "Supported cipher suites", but 'used' by Win 7 (IE 8). If that cipher can be choosen, it should be listed under "Supported cipher suites", as in the test at ssllabs.com . But then result would be, that those host supports weak ciphers.

[alvar-freude]

That is really strange and looks like the ECDHE-suites are not recognized in the list, but when checking the browser compatibility.
Thanks for the report, I'll have to analyze this – but not today ;-)

[alvar-freude]

Now I have analyzed this issues.

CBC Cipher suites Weak?

The first one is the question how to handle CBC cipher suites.

As mentioned, CBC-Cipher-Suites are affected by the BEAST vulnerability – but not all. Only CBC-SHA, not CBC-SHA-256 or CBC-SHA-384.

TLS-Check took this ratings from O-Saft, they are listed in Net::SSL::CipherSuites (you have to scroll right, because long lines!)

As mentioned above and in GetServerProperties.pm, this should be revised. All Scorings should be revised.

The problem with scoring is, that different scores may be right – depending on the point of view. Therefore the idea is to have pluggable scorings, so that they can be changed by the user. The focus of TLS-Check was, that we get summaries, but for individual this become more important.

[alvar-freude]

Not listed Cipher Suites

The problem with the not listed cipher suite ECDHE_RSA_WITH_AES_128_CBC_SHA is, that some servers seem to ignore some given cipher suites, when there are a lot of cipher suites given.

For this, Net::SSL::CipherSuites can split a list of cipher suites into parts (see sub split_into_parts). By default this code is used and splits them into parts of 146 bytes. This is still too much for some servers: for bettercrypto.org, the result is OK with 86 or fewer bytes, not OK for 88 bytes and up. Most servers can handle 300 bytes without any problem.

Until now I'm not sure if this is a bug of the server or a bug of TLS-Check, but TLS-Check should (must!) handle it correctly!

So, this is the resreason, why the cipher suite is not listed in the full list, but when checking the browser lists.

[ricki-z]

My problem is, that there may be companies asking their provider (i.e. me) about this IHK study. And I have to tell them, that the server is configured like recommended (Bettercrypto B), but this configuration contains "weak" ciphers (that are not choosen by modern browsers). BEAST should be mitigated by most modern browsers by now.
In your study a larger part of the 1020 websites with a valid cert but "weak" ciphers may have this "problem". And therefor may be safer than stated.
Disabling ...AES_128/256_CBC_SHA prevents connections from Windows7 (IE8).
Shouldn't a recommendation result in a good result in such a study?

[alvar-freude]

We don't release informations about a single server or IHK member, this is one reason.

For the score, it doesn't matter much, if the BEAST-vulnerable CBC suites are counted as weak or not. The main goal for TLS-Check is to provide an summary/overview, not individual results. But beside the IHK project I plan to extend the individual tests. In this context the scorings of each cipher suites should be revised.

When you use only recommended cipher suites, this is OK; at the moment TLS-check counts BEAST vulnerable cipher suites as „weak“, we discussed in the past if we change this and my opinion is, that we should change this – so we have to discuss it again.

The real world problem is, that there are some old browsers, which only support old protocols and old cipher suites. For this, everyone has to support the old stuff. In all presentations I referred to this.
There are a lot of cipher suites where we can discuss, how good they are. e.g. DHE suites recommended by the BSI and the logjam attack. Or how to count ARIA cipher suites and much more.