Using the default cipher values in Kubernetes Nginx ingress controller shows that 2 ciphers are weak: enter image description here
What are the values i need to set in order to replace the weak ciphers ?
Let's look at this from a bigger picture.
All TLS_RSA
ciphersuites have been marked as WEAK
because they don't provide forward secrecy: if the private key gets compromised in the future, all recorded traffic can be decrypted using it.
The only major browser that ever implemented those two ciphersuites you listed is Safari, and Safari has supported GCM cipher suites since 2015. In general, any cipher suite that doesn't say CHACHA20
, GCM
, or CCM
is now marked as either weak
or insecure
.
You could replace them like below:
ECDHE-RSA-AES256-SHA384
to TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
ECDHE-RSA-AES128-SHA256
to TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
but according to this source:
SSL Labs identifies cipher suites using CBC with orange color and with text WEAK. This change won’t have any effect on the grades, as it only means that SSL Labs discourages the use of CBC-based cipher suites further.
All ciphersuites utilizing Cipher Block Chaining CBC
aren't automatically WEAK
, but there have been so many implementations vulnerable to padding oracle attacks that they have decided to mark them all as WEAK
.
Another option would be to completely remove those two values and use DHE ciphersuites as long as they have key length of at least 2048 bits and use GCM mode: DHE-RSA-AES256-GCM-SHA384
, DHE-RSA-AES128-GCM-SHA256
.
You can also consider removing them completely but you actually don't have to because your implementation was not marked as vulnerable. Only implementations that are vulnerable to the new Zombie Poodle and Goldendoddle vulnerabilities will be graded F.
I hope it helps.