Disabling weak ciphers | AEMaaCS

We have identified weak ciphers, such as TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, at the CDN level during multiple security scans in Adobe Experience Manager as a Cloud Service (AEMaaCS). It’s important to note that we cannot block a weak cipher at the L4 (TCP) level. For more information about this issue, please refer to the following article.

Description description


Adobe Experience Manager as a Cloud Service


Several security scans detect weak ciphers at the CDN level, such as TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256.

Resolution resolution

AEM does not use these weak ciphers at the L7 (HTTP level). The mentioned cipher TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 is likely at L4 (TCP level) as there are a few security scan solutions that will only test at L4. We cannot block a weak cipher at L4 (TCP level). Since weak ciphers are only used by old web browser versions, blocking at the L7 level should mitigate any security concerns since those will only use HTTP/L7.

Some security scan software applications only check weak ciphers at the L4 level.