Obsolete cryptography warning from Browser

by

From https://www.chromium.org/Home/chromium-security/education/tls#TOC-Deprecation-of-TLS-Features-Algorithms-in-Chrome

Obsolete Cipher Suites

You may see:

“Your connection to example.com is encrypted with obsolete
cryptography.”

This means that the connection to the current website is using an
outdated cipher suite (which Chrome still allows if the server insists
on it).

In order for the message to indicate “modern cryptography”, the
connection should use forward secrecy and either AES-GCM or
CHACHA20_POLY1305. Other cipher suites are known to have weaknesses.
Most servers will wish to negotiate
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256.

All this boils down to the following lines in your configuration, that determine which cipher suites are supported and prioritized for connections with clients.

SSLProtocol
SSLCipherSuite
SSLHonorCipherOrder

Per https://certsimple.com/blog/chrome-outdated-cryptography and https://mozilla.github.io/server-side-tls/ssl-config-generator/, you may want to give this a try:

SSLProtocol             all -SSLv2 -SSLv3
SSLCipherSuite          ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SSLHonorCipherOrder     on

See also:

[1] https://mozilla.github.io/server-side-tls/ssl-config-generator/ – Suggests security configurations

[2] https://www.ssllabs.com/ssltest/index.html — Test your server’s SSL configuration

More Related Contents:

  1. Unable to establish SSL connection, how do I fix my SSL cert?
  2. How do I allow HTTPS for Apache on localhost?
  3. How do you redirect HTTPS to HTTP?
  4. ssl_error_rx_record_too_long and Apache SSL [closed]
  5. apache redirect http to https and www to non www
  6. How to stop Chrome from redirecting to HTTPS?
  7. SSL Connection Reset
  8. Do I need to convert .CER to .CRT for Apache SSL certificates? If so, how?
  9. tunneling secure websocket connections with apache
  10. How to debug Apache mod_rewrite
  11. apache redirect from non www to www
  12. Accessing localhost (xampp) from another computer over LAN network – how to?
  13. How to prevent http file caching in Apache httpd (MAMP)
  14. Security consequences of disabling CURLOPT_SSL_VERIFYHOST (libcurl/openssl)
  15. Deny access to one specific folder in .htaccess
  16. Hidden features of mod_rewrite
  17. Why use deflate instead of gzip for text files served by Apache?
  18. How can I implement rate limiting with Apache? (requests per second)
  19. Forbidden You don’t have permission to access / on this server [closed]
  20. Apache2 ProxyPass for Rails App Gitlab
  21. Getting Internal Server Error while trying to access my site
  22. Remove Characters from URL with htaccess
  23. How do I run Node.js on port 80?
  24. Setting up a websocket on Apache?
  25. Redirect HTTP to HTTPS on default virtual host without ServerName
  26. htaccess RewriteRule page with query string
  27. URL rewriting for different protocols in .htaccess
  28. Correct Apache AddType directives for font MIME types
  29. OpenSSL hangs during PKCS12 export with “Loading ‘screen’ into random state”
  30. SSLError: sslv3 alert handshake failure

Leave a Comment