Remove SHA1 cipher suite
25 views
Skip to first unread message
dmeet
May 23, 2022, 11:28:15 AM5/23/22
to blink-dev
Since Chromium removed the TLS1.0 and TLS1.1 protocols,the cipher suite which using HMAC-SHA1 is unnecessary,because TLS1.2 add the SHA2 to ths cipher suite
I suggest remove these cipher :
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
And add these cipher:
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
Because some server such as Windows Server 2008 R2 and Windows Server 2012 although these server can enable TLS1.2 but they don't support GCM cipher suite with RSA certificate the best cipher suite these server can use with RSA certificate is TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 or TLS_RSA_WITH_AES_256_GCM_SHA384
Although HAMC-SHA1 isn't broken but SHA1 is broken
I suggest remove these cipher :
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
And add these cipher:
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
Because some server such as Windows Server 2008 R2 and Windows Server 2012 although these server can enable TLS1.2 but they don't support GCM cipher suite with RSA certificate the best cipher suite these server can use with RSA certificate is TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 or TLS_RSA_WITH_AES_256_GCM_SHA384
Although HAMC-SHA1 isn't broken but SHA1 is broken
I think take action before it destroyed is better
Reply all
Reply to author
Forward
0 new messages