Weak Cipher Suites: How to Find and Disable Insecure TLS Ciphers

Weak Cipher Suites: How to Find and Disable Insecure TLS Ciphers

A cipher suite is the set of cryptographic algorithms client and server negotiate during the TLS handshake: key exchange, authentication, symmetric encryption, and MAC. Deprecated suites (RC4, 3DES, EXPORT, NULL, MD5) drop your SSL Labs grade to B or F, expose the site to POODLE, BEAST, SWEET32, and fail PCI DSS. Here's how to find weak ciphers and replace them with a modern safe profile.

What makes a cipher suite “weak”

A TLS 1.2 cipher suite looks like ECDHE-RSA-AES128-GCM-SHA256:

• ECDHE — key exchange (forward secrecy).
• RSA — server authentication.
• AES128-GCM — symmetric cipher.
• SHA256 — MAC hash.

A suite is “weak” if any component is obsolete:

• Key exchange without forward secrecy: plain RSA (no ECDHE/DHE).
• Old ciphers: RC4, 3DES, DES, EXPORT-grade, NULL.
• Weak hashes: MD5, SHA1 in MAC.
• CBC block ciphers — padding oracle attacks (BEAST, Lucky13).
• Key size: below 128 bits is considered insufficient.

Known attacks on weak ciphers

• POODLE (2014): attack on SSLv3 with CBC. Fix — disable SSLv3.
• SWEET32 (2016): collisions in 64-bit block ciphers (3DES, Blowfish). Fix — disable 3DES.
• RC4 biases (2013-2015): plaintext recovery from repeated RC4 messages. Fix — disable RC4.
• BEAST (2011): attack on CBC in TLS 1.0. Fix — TLS 1.2+ with AEAD.
• FREAK, Logjam (2015): EXPORT-grade downgrade. Fix — disable EXPORT.
• ROBOT (2017): RSA key recovery via padding oracle. Fix — disable RSA key exchange.

TLS 1.3 (see TLS 1.3 vs 1.2) excludes all vulnerable suites by design. The problem is TLS 1.2 and earlier.

How to check your cipher suites

nmap:

nmap --script ssl-enum-ciphers -p 443 example.com

Output shows supported suites per TLS version with “weak” next to the problematic ones.

testssl.sh:

docker run --rm -ti drwetter/testssl.sh example.com

Online: enterno.io SSL Checker, SSL Labs, Mozilla Observatory.

Mozilla profiles: Modern, Intermediate, Old

• Modern: TLS 1.3 only, compatible with 90% of clients. For API документацию and modern services.
• Intermediate (recommended): TLS 1.2 + 1.3, compatible with 99% of clients, no weak ciphers.
• Old: TLS 1.0+, for legacy (Windows XP, old Android). Avoid.

Config generator: ssl-config.mozilla.org — pick server, profile, OpenSSL version, get ready-to-paste config.

Safe nginx config (Intermediate)

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:\
ECDHE-RSA-AES128-GCM-SHA256:\
ECDHE-ECDSA-AES256-GCM-SHA384:\
ECDHE-RSA-AES256-GCM-SHA384:\
ECDHE-ECDSA-CHACHA20-POLY1305:\
ECDHE-RSA-CHACHA20-POLY1305:\
DHE-RSA-AES128-GCM-SHA256:\
DHE-RSA-AES256-GCM-SHA384';

ssl_prefer_server_ciphers off;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
ssl_session_tickets off;

# TLS 1.3 cipher suites (OpenSSL 1.1.1+)
ssl_conf_command Ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256;

# Forward secrecy parameters
ssl_ecdh_curve X25519:prime256v1:secp384r1;

Every cipher here is AEAD (Authenticated Encryption with Associated Data) — not vulnerable to padding oracle attacks. No CBC.

Apache (Intermediate profile)

SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder     off
SSLSessionTickets       off

What exactly to disable

Explicit OpenSSL denylist:

!aNULL   — no authentication
!eNULL   — no encryption
!EXPORT  — export-grade (40/56 bit)
!DES     — DES
!3DES    — 3DES (SWEET32)
!RC4     — RC4 (known attacks)
!MD5     — MD5 (collisions)
!PSK     — pre-shared keys (unless used)
!SRP     — rare, vulnerable
!CAMELLIA — optional, prefer AES

Modern distros ship OpenSSL with these already disabled at compile time. Still useful to state explicitly.

PCI DSS and regulatory requirements

PCI DSS 4.0 (since 2024):

• TLS 1.0 and 1.1 banned.
• SSLv2 / SSLv3 banned.
• Weak ciphers (RC4, 3DES, MD5) banned.
• Regular vulnerability scans — mandatory (SAQ A, SAQ D).

Non-compliance — risk of losing card-payment ability.

Post-change verification

1. nginx -t && systemctl reload nginx.
2. enterno.io SSL Checker — grade A or A+.
3. SSL Labs — no weak ciphers, forward secrecy “Yes”, HSTS, grade A+.
4. Test compatibility with old clients (iOS 12, Android 7, Windows 10).
5. Monitor via Enterno.io Monitors — alert on grade regression after deploy.

Frequently asked questions

Do I need TLS 1.3 cipher suites in ssl_ciphers?

No. TLS 1.3 uses a separate directive (ssl_conf_command Ciphersuites in nginx with OpenSSL 1.1.1+). ssl_ciphers only affects TLS 1.2 and below.

What if an old client doesn't support modern ciphers?

Rare edge case — ignore. Lots of legacy — use Mozilla Old profile temporarily, migrate clients, then harden.

Is ChaCha20 better than AES-GCM?

On CPUs with hardware AES (AES-NI), AES-GCM wins. On mobile CPUs without AES-NI (older ARM), ChaCha20 is faster. Placing ECDHE-RSA-CHACHA20-POLY1305 before AES in ssl_ciphers favors mobile.

Why disable SSL session tickets in TLS 1.2?

Session tickets are encrypted with a rarely-rotated server key, weakening forward secrecy. TLS 1.3 fixed the mechanism. In 1.2 — either rotate the key often or disable (ssl_session_tickets off;).

Conclusion

Weak cipher suites are inherited from old server templates that “work, don't touch”. Upgrading to Mozilla Intermediate takes 10 minutes and buys years of defense against new attacks. Check current config via enterno.io SSL Checker and guard against regression via Monitors. Related: TLS 1.3 migration, HSTS.

Mozilla SSL Config — ssl-config.mozilla.org. TLS 1.2 suites — RFC 5246. NIST guidelines — SP 800-52 Rev 2.