Chrome browser reports obsolete cipher (AES_256_CBC with HMAC-SHA1)

Question

Jboss 6 server is configured to support these ciphers:

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA

But the Chrome browser reports:

The connection to this site uses a strong protocol (TLS 1.2), a strong key exchange (ECDHE_RSA), and an obsolete cipher (AES_256_CBC with HMAC-SHA1)

Should we remove all _SHA ones from the server configuration?

However, the nmap ssl scan shows, they are all A grade ciphers:

$ nmap -p 443 --script ssl-enum-ciphers.nse host-name

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp160k1) - A
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp160k1) - A
TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp160k1) - A
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp160k1) - A
TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A

score 6 · Answer 1 · edited Mar 17 '17 at 10:46

The problem is not the SHA1 but the CBC. You need to offer an AEAD cipher like the GCM ciphers or CHACHA20-POLY1305. From the Chromium (base for Chrome) projects documentation about cipher suites:

To avoid this message, use TLS 1.2 and prioritize an ECDHE cipher suite with AES_128_GCM or CHACHA20_POLY1305. Most servers will wish to negotiate TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256.

You don't offer any of these ciphers so you get this warning. See also this answer for more details. See also the source code of Chromium, notable the function ObsoleteSSLStatusForCipherSuite in net/ssl/ssl_cipher_suite_names.c where this check is implemented.

score 2 · Answer 2 · edited Mar 17 '17 at 10:46

2

I think your problem is in the certificate you are using. Your certificate must be done using a good cypher. That's the Chrome message you are seeing. You need to issue the certificate again using sha2 and a good cypher this time.

I recommend to you to use the online tool ssllabs to test your site. It will test your certificate, your configuration, etc. And it provide you a grade. A+ is the best. And also it recommends to you how to proceed to solve your problems. A very nice tool!

EDIT: maybe this post can help you

edited Mar 17 '17 at 10:46

Community

1

answered Dec 13 '16 at 11:16

OscarAkaElvis

5,225
3
18
49

it does not look like , I did a sslscan using Kali Linux and here is info about certificate: SSL Certificate: Signature Algorithm: sha256WithRSAEncryption RSA Key Strength: 2048 – user133283 Dec 13 '16 at 11:24
Ok I edited my answer, take a look. – OscarAkaElvis Dec 13 '16 at 11:26

score 1 · Answer 3 · answered Dec 15 '16 at 05:46

Fixed it by re-configuring the Jboss ciphers without SHA ones. Now the Chrome does not shows any security warnings.

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256

Chrome browser reports obsolete cipher (AES_256_CBC with HMAC-SHA1)

3 Answers3