Why your A grade SSL is 'outdated cryptography' on Chrome
Deep dive on what exactly counts as 'outdated' with your SSL test.
July 12, 2021
So you've installed your certificate, it doesn't use SHA1, your preferred cipher suites use forward secrecy, RC4 is disabled and your site gets an 'A' rating in the SSL Labs handshake test.
Then someone visits your site in Chrome and notices the following:
Your connection to example.com is encrypted with obsolete cryptography.
While SHA1 deprecation gets all the attention, it's also worth noting that Chrome has added other new crypto warnings. From the Chrome developers:
“Your connection to example.com is encrypted with obsolete cryptography” means that the connection to the current website is using an outdated cipher suite.
In order for the message to indicate “modern cryptography”, the connection should use forward secrecy and either AES-GCM or CHACHA20_POLY1305. Other cipher suites are known to have weaknesses. Most servers will wish to negotiate TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256.
OpenSSL doesn't support CHACHA20_POLY1305 yet so we're going to focus on AES-GCM for now.
GCM is a block cipher mode. The are other, weaker, block cipher modes:
- CBC, which is still default in many crypto apps
- Others like ECB which are rarer because their flaws are more widely known
Here's something important: OpenSSL doesn't use the IANA standard cipher suite names that Google uses: what openssl calls AES256-SHA
is what the rest of the industry calls TLS_RSA_WITH_AES_256_CBC_SHA
. In other words:
Thankfully:
- you can look up the OpenSSL documentation to convert the IANA names to the OpenSSL names.
- OpenSSL names for GCM ciphers do actually include 'GCM'. The cipher suite
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
mentioned by Google above is calledECDHE-RSA-AES128-GCM-SHA256
in OpenSSL.
So, to fix the warning:
In most cases you shouldn't need to do this yourself:
AWS ELB, nginx, HAProxy and Apache HTTPd users
Use Mozilla's Server Side TLS project, which will generate a config that incorporates this logic.
node.js users
For node.js: we've added these defaults to the next version of node. You can grab the cipher list from that commit today and use it on existing node or iojs apps to fix the warning.