obsolete cipher (AES_128_CBC with HMAC-SHA1)

Published by

Posted on April 06, 2017

With Internet privacy on everyone’s mind. I decided it was time to do some house keeping myself. I ran my main domain through the test at SSL Labs . I ended up with a SSL grade of B- :( wow .




I ran a test via Google chrome and Chrome returned the message “obsolete cipher (AES_128_CBC with HMAC-SHA1) ” . Additionally I ran a quick test via Python and it returned ” raise SSLError(e, request=request)
requests.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)”

A few things I had issues with
1) The root chain bundle was missing from the server
2) I was using old ciphers
3) Enabling Perfect Forward Secrecy was disabled
Enabling perfect forward secrecy
After correcting the above , My SSL grade changed to A . Hopefully this information will help those out there. Internet privacy is a big deal these days. Engineers need to do what they can to protect every day users.

Python Test :


import requests
s = requests.get('https://domain.com')
print(s)


Ciphers used
SSLCipherSuite “EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4”


About the Author