The majority of the CBC_SHA ciphers are considered weak and should be
replaced with stronger ciphers.
See also:
https://www.tenable.com/plugins/nessus/159543
Recommended ciphers would be:
TLSv1.3:
- 0x13,0x01 TLS_AES_128_GCM_SHA256
- 0x13,0x02 TLS_AES_256_GCM_SHA384
- 0x13,0x03 TLS_CHACHA20_POLY1305_SHA256
TLSv1.2:
- 0xC0,0x2B ECDHE-ECDSA-AES128-GCM-SHA256
- 0xC0,0x2F ECDHE-RSA-AES128-GCM-SHA256
- 0xC0,0x2C ECDHE-ECDSA-AES256-GCM-SHA384
- 0xC0,0x30 ECDHE-RSA-AES256-GCM-SHA384
- 0xCC,0xA9 ECDHE-ECDSA-CHACHA20-POLY1305
- 0xCC,0xA8 ECDHE-RSA-CHACHA20-POLY1305
- 0x00,0x9E DHE-RSA-AES128-GCM-SHA256
- 0x00,0x9F DHE-RSA-AES256-GCM-SHA384
Matthew
On 1/7/2023 2:38 AM, Sam wrote:
Hello everyone
when I run `nmap --script vuln example.com` against a server I manage,
I get the following vulnerability on my server on both ports 465 and
587. The only solutions I found are for legacy systems.
