Proper way to get rid of weak ssl_ciphers

Have 2 issues I’m confused and stuck atm:

  1. Can’t pass PCI DSS compliance because a number of Weak Cipher Suites were found. Have commented out those in /etc/nginx/nginx.conf > ssl_ciphers and restarted, but still can’t pass the tests, so presumably there are more weak ciphers defined somewhere else (nginx proxy+apache+php8). Where are they?

  2. To persist those changes made in nginx.conf, I understand have to create my own templates in /usr/local/hestia/data/templates/web/nginx and assign them to websites, but those are Web Domain templates at the server{} level at best. The ssl_ciphers directive is at the universal http{} level. How to properly approach this?

Thanks for your advise.

Edit /etc/nginx/nginx.conf

Replace these lines with the following:

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_ecdh_curve      X25519:prime256v1:secp384r1;

Restart nginx: systemctl restart nginx

Check your site at SSL Server Test (Powered by Qualys SSL Labs) and you should get an A+

The ciphers are from Mozilla’s current intermediate cipher list. Current sites should allow the browser to choose the cipher which will speed up loading of your page and cipher handshake.

1 Like

Hi Shawn, thank you for the hints. Unfortunately, they didn’t work for me and I’m still stuck at the same place. After all those tweaks and restart of NGINX I am still getting absolutely the same weak ciphers that fail in securitymetrics: Screenshot 2022 07 04 at 11 21 36 Portal Security Metrics — Postimages

I forgot to mention I’m behind Cloudflare (free), but think I should have configured the pertinent stuff accordingly, for example:

Minimum TLS Version: 1.2;
TLS 1.3 = enabled

Not sure if it’s a configuration problem, or a cache problem of some kind at this point? Have purged everything for the at the edge, and also cleared WP Fastest Cache (Wordpress), but it didn’t help.

Hope for other ideas of the guys. Thanks!

If you are behind cloudflare, you cant do anything. Cloudflare is handling the ssl connection, so you probaly need to search a solution on clousflare side.

1 Like

You’re right. Finally figured out they want money to allow changing the cipher suites. Bummer.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.