TLS and weak ciphers: obsolete protocols, cipher suites and SSH
Communication encryption relies on two distinct elements: the protocol (TLS 1.2, TLS 1.3) and cipher suites (algorithms negotiated for each connection). A valid certificate and a modern protocol aren't enough if the server still accepts deprecated algorithms. The security of a TLS connection is that of its weakest link.
Obsolete SSL/TLS protocols
SSL 2.0, SSL 3.0, TLS 1.0, and TLS 1.1 are obsolete protocols with known, published vulnerabilities. POODLE (SSL 3.0), BEAST (TLS 1.0), DROWN (SSL 2.0): these attacks allow an adversary positioned on the network to decrypt communications or inject data. Modern browsers have dropped support for these protocols, but servers still frequently accept them.
Today's minimum standard is TLS 1.2, and TLS 1.3 should be enabled. TLS 1.3 simplifies negotiation (fewer round trips), removes weak cipher suites, and is not vulnerable to attacks on older versions.
nginx configuration: disable old protocols
# nginx.conf
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305;
ssl_prefer_server_ciphers off;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
Weak cipher suites
Even with TLS 1.2, some cipher suites are weak and must not be accepted. RC4: cryptographically broken, must be banned. CBC-mode suites (like AES-CBC): vulnerable to BEAST and LUCKY13 in TLS 1.2 depending on configuration. Suites without Perfect Forward Secrecy (RSA alone, no ECDHE or DHE): if the private key is compromised, all previously recorded sessions can be decrypted. Export suites (EXPORT, NULL, aNULL): designed to be weak, exploited by FREAK and Logjam.
Reference tool: test your configuration with testssl.sh (command line) or SSL Labs (web interface). These tools identify accepted protocols, cipher suites, and known vulnerabilities.
Insecure SSL/TLS renegotiation
TLS renegotiation allows renegotiating parameters of an ongoing connection. Insecure renegotiation (RFC 5746 not implemented) can be exploited to inject data into an existing TLS connection. All modern servers must support secure renegotiation and disable client-initiated renegotiation if not needed.
SSH configuration: deprecated algorithms
SSH suffers from the same problems as TLS: old and weak algorithms accepted by default. Algorithms to disable: CBC-mode ciphers (aes128-cbc, 3des-cbc, arcfour...), MAC algorithms based on SHA-1 alone (hmac-sha1, hmac-md5), Diffie-Hellman key exchange with insufficient parameters (diffie-hellman-group1-sha1).
Secure sshd_config configuration
# /etc/ssh/sshd_config
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
HostKeyAlgorithms ssh-ed25519,rsa-sha2-512,rsa-sha2-256
Unencrypted communications
Some internal services or APIs still communicate in plaintext (HTTP, FTP, Telnet, SMTP without STARTTLS). Even on an internal network considered trusted, encryption is necessary: compromising an internal device (switch, workstation) enables passive traffic interception. Network segmentation reduces the risk but doesn't eliminate it.
Summary
- Disable SSL and TLS 1.0/1.1: enable only TLS 1.2 and TLS 1.3
- Modern cipher suites only: ECDHE + AES-GCM or ChaCha20, no RC4, CBC, or NULL
- Perfect Forward Secrecy: use ECDHE or DHE so past sessions remain protected if the key is compromised
- SSH: modern algorithms only: Ed25519, ChaCha20, SHA-2; remove CBC and SHA-1
- Test regularly: testssl.sh or SSL Labs to detect regressions and new vulnerabilities
Further reading
A question after reading?
Is your TLS or SSH configuration up to date? Send a message.
Or book a 30-minute scoping call directly
Book a call →