SSL Ciphers with Chrome
I'm reviewing all of my web servers and I'm trying to figure out how to make Chrome happy with the Cipher Suites. Web Servers are Server 2012 R2 and here is what Chrome is reporting:
Now, if I take a look at another example website that does properly validate with Chrome, it looks like this as an example:
It is my understanding that google only views the GCM Ciphers are being secure, that being said I found AES_128_GCM on my Cipher list and moved it to the top, however Chrome still reports the same Cipher Suite as being used.
Can anyone give me some insight?
Now, if I take a look at another example website that does properly validate with Chrome, it looks like this as an example:
It is my understanding that google only views the GCM Ciphers are being secure, that being said I found AES_128_GCM on my Cipher list and moved it to the top, however Chrome still reports the same Cipher Suite as being used.
Can anyone give me some insight?
I suspect it's the SHA1 hashing that Chrome doesn't like... it's been deprecated.
ASKER
The problem is that it's just not using the GCM Ciphers even though I have prioritized them at the top so it shouldn't even be negotiating at the one that it is if there is a better one above it . After reading some more, it would appear that Server 2012 can't use these, while 2016 can.
That being said, I'm not sure that I can fix this on 2012 if it can't use those ciphers.
https://forums.iis.net/t/1226511.aspx
That being said, I'm not sure that I can fix this on 2012 if it can't use those ciphers.
https://forums.iis.net/t/1226511.aspx
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
This is not a Chrome fix.
Chrome is working as expected, refusing to use an deprecated/weak cipher.
The fix is at your Webserver level.
Many guides exist about setting up fast + secure cipher suites for various Webservers.
Pick one of these + reconfigure your site.
Use https://www.ssllabs.com/ss
Chrome is working as expected, refusing to use an deprecated/weak cipher.
The fix is at your Webserver level.
Many guides exist about setting up fast + secure cipher suites for various Webservers.
Pick one of these + reconfigure your site.
Use https://www.ssllabs.com/ss
ASKER
I already know that the fix is at the webserver level, and as mentioned SSL Labs is already giving me an A as it's configured right now. The server meets PCI as it sits now and there are no weak ciphers being reported by SSL labs.
Chrome just wants the site to be using the absolute best, which is the GCM Ciphers. My question is if there is any way to use those ciphers without having to upgrade the certificate to ECC/EV.
Chrome just wants the site to be using the absolute best, which is the GCM Ciphers. My question is if there is any way to use those ciphers without having to upgrade the certificate to ECC/EV.
If web server demands it strictly, client has no way not to support it as part of the server authentication.
Can try to blacklist use of weak cipher in the chrome and try connection again. See this https://yuridejager.wordpress.com/2014/11/17/securing-your-browsers-chromium-google-chrome-or-opera/
Can try to blacklist use of weak cipher in the chrome and try connection again. See this https://yuridejager.wordpress.com/2014/11/17/securing-your-browsers-chromium-google-chrome-or-opera/
For author advice
ASKER
I have confirmed that the only way Server 2012 will use the ciphers that will make Chrome completely happy is to use an ECC certificate.