0

Doing a litle Cryptography Research and hit a case of conflicting data so wanted to try here.

I'm running a Web Service and currently support these 2 Ciphers:

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0X9F) DH 4096 BITS FS 256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0XC02C) ECDH SECP521R1 (EQ. 15360 BITS RSA) FS 256

If I had to remove them due to a WAF upgrade making them incompatible, would I stop particular browsers or versions of Mobile Operating Systems being able to Handshake with me?

If yes, can you advise any alternatives for what I might impact.

Thanks!

Adamski2505
  • 1
  • 3
  • Browsers (including those used by mobile operating systems) have a set of cipher suites that they support so you'll be fine as long as there's one that you both support. The likelihood that a browser would only support those newer cipher suites is very low, you're probably fine to remove them. – Quetza Mar 17 '21 at 09:45
  • Thanks for the reply. I noticed in my Qualys Browser Test that IE11 defaults to the top one on my list, but it does support others. We still support IE11 (sad face) because many bigger corporations are still on Win7, IE11 and slow process to change so we have to keep some compatibility. Do you know, or have access to any kind of Matrix of any operating systems/browsers that might be considered semi-modern? Again, thanks for answering – Adamski2505 Mar 17 '21 at 17:50
  • I'd suggest that if you support all the ciphers that Gmail does, you should be fine: https://support.google.com/a/answer/9795993. Given that TLS 1.0 and 1.1 are deprecated, it's worth figuring out how to balance support of older clients versus known insecure encryption. – Quetza Mar 17 '21 at 18:07

0 Answers0