Server prefers weak encryption ciphers during TLS negotiation
Article ID: CTX582531
Updated On:
Description
TLS cipher suite issues were detected: Server prefers weak encryption ciphers during TLS negotiation.
Resolution
- Make sure only the ciphers in the best practices were used.
e.g.
add ssl cipher SSL_Labs_Cipher_Group_Q4_2021
bind ssl cipher SSL_Labs_Cipher_Group_Q4_2021 -cipherName TLS1.3-AES256-GCM-SHA384
bind ssl cipher SSL_Labs_Cipher_Group_Q4_2021 -cipherName TLS1.3-AES128-GCM-SHA256
bind ssl cipher SSL_Labs_Cipher_Group_Q4_2021 -cipherName TLS1.3-CHACHA20-POLY1305-SHA256
bind ssl cipher SSL_Labs_Cipher_Group_Q4_2021 -cipherName TLS1.2-ECDHE-ECDSA-AES256-GCM-SHA384
bind ssl cipher SSL_Labs_Cipher_Group_Q4_2021 -cipherName TLS1.2-ECDHE-ECDSA-AES128-GCM-SHA256
bind ssl cipher SSL_Labs_Cipher_Group_Q4_2021 -cipherName TLS1.2-ECDHE-ECDSA-AES256-SHA384
bind ssl cipher SSL_Labs_Cipher_Group_Q4_2021 -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
add ssl cipher SSL_Labs_Cipher_Group_Q4_2021
bind ssl cipher SSL_Labs_Cipher_Group_Q4_2021 -cipherName TLS1.3-AES256-GCM-SHA384
bind ssl cipher SSL_Labs_Cipher_Group_Q4_2021 -cipherName TLS1.3-AES128-GCM-SHA256
bind ssl cipher SSL_Labs_Cipher_Group_Q4_2021 -cipherName TLS1.3-CHACHA20-POLY1305-SHA256
bind ssl cipher SSL_Labs_Cipher_Group_Q4_2021 -cipherName TLS1.2-ECDHE-ECDSA-AES256-GCM-SHA384
bind ssl cipher SSL_Labs_Cipher_Group_Q4_2021 -cipherName TLS1.2-ECDHE-ECDSA-AES128-GCM-SHA256
bind ssl cipher SSL_Labs_Cipher_Group_Q4_2021 -cipherName TLS1.2-ECDHE-ECDSA-AES256-SHA384
bind ssl cipher SSL_Labs_Cipher_Group_Q4_2021 -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
- Refer to Tech Paper: https://community.citrix.com/tech-zone/build/tech-papers/networking-tls-best-practices-2025/ for more details.
Problem Cause
Weak encryption ciphers used.
Issue/Introduction
TLS configuration fixed the issue.
Was this article helpful?
Yes
No
Powered by
