Limiting SSL/TLS Cipher Suite doesn't work?

slowaways · Jan 19, 2020

Hello,
I disabled HTTP/2 and defined this cipher suite to my SSL Protocol configuration:

Listener HTTPS->SSL->SSL Protocol
"TLS_CHACHA20_POLY1305_SHA256:ECDHE-RSA-AES256-GCM-SHA384:TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256:TLS_DHE_RSA_WITH_AES_256_GCM_SHA384"

Opera Instantâneo_2020-01-19_165837_ptt.tecnosul.agr.br.png

TLS 1.3:
TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256

TLS 1.2:
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

Opera Instantâneo_2020-01-19_164229_www.ssllabs.com.png

I want to disable all Ciphers <= 128 and active only Ciphers >= 256 to get 100% on Cipher Stronger pontuation in the SSL Labs test:

Opera Instantâneo_2020-01-19_165704_www.ssllabs.com.png

SSL Labs Grade Documentation:
"Key Exchange 100%: Key or DH paramenter strength >= 4096 bits
Cipher Strength 100%: All keys size >= 256 bits "

But when I tested in SSL Labs, cipher that I disabled before appears yet.

Pong · Jan 20, 2020

What's your site URL? maybe you log a ticket by sending an email to support@litespeedtech.com with us to your login details and site URL for us to check?

slowaways · Feb 10, 2020

Pong said:

Ok

anditasb · Dec 9, 2020

slowaways said:

Hello,

Do you have any update about this?

stevieosaurus · Nov 6, 2024

5 years later I encounter the same issue. Anyone found a fix for this? (disabling CBC ciphers)

Cold-Egg · Nov 7, 2024

Some similar posts here, maybe you can give it a try.

gizmo · Mar 13, 2025

Hi @stevieosaurus, @anditasb in case you guys haven't fixed it, please see my post about how to properly disable CBC ciphers.
Though I have no answer for @slowaways on how to remove ciphers with 128 bit keys.

Theoretically, this would partially work: "ECDSA+AES256+AESGCM" would remove TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

Bash:

openssl ciphers -V -stdname ECDSA+AES256+AESGCM
          0x13,0x02 - TLS_AES_256_GCM_SHA384                        - TLS_AES_256_GCM_SHA384         TLSv1.3 Kx=any      Au=any   Enc=AESGCM(256)            Mac=AEAD
          0x13,0x03 - TLS_CHACHA20_POLY1305_SHA256                  - TLS_CHACHA20_POLY1305_SHA256   TLSv1.3 Kx=any      Au=any   Enc=CHACHA20/POLY1305(256) Mac=AEAD
          0x13,0x01 - TLS_AES_128_GCM_SHA256                        - TLS_AES_128_GCM_SHA256         TLSv1.3 Kx=any      Au=any   Enc=AESGCM(128)            Mac=AEAD
          0x13,0x04 - TLS_AES_128_CCM_SHA256                        - TLS_AES_128_CCM_SHA256         TLSv1.3 Kx=any      Au=any   Enc=AESCCM(128)            Mac=AEAD
          0xC0,0x2C - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384       - ECDHE-ECDSA-AES256-GCM-SHA384  TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256)            Mac=AEAD

But when I tried on virtual hosts config, it didn't work. TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 still appears.
Also, it seems impossible to remove TLS_AES_128_GCM_SHA256.

Reference: openssl-ciphers

Limiting SSL/TLS Cipher Suite doesn't work?

slowaways

New Member

Pong

Administrator

slowaways

New Member

anditasb

New Member

stevieosaurus

Member

Cold-Egg

Administrator

gizmo

New Member