Disabling weak ciphers | AEMaaCS

Last update: Tue Jul 23 2024 00:00:00 GMT+0000 (Coordinated Universal Time)

We have identified weak ciphers, such as TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, at the CDN level during multiple security scans in Adobe Experience Manager as a Cloud Service (AEMaaCS). It’s important to note that we cannot block a weak cipher at the L4 (TCP) level. For more information about this issue, please refer to the following article.

Description description

Environment

Adobe Experience Manager as a Cloud Service

Issue/Symptoms

Several security scans detect weak ciphers at the CDN level, such as TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256.

Resolution resolution

AEM does not use these weak ciphers at the L7 (HTTP level). The mentioned cipher TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 is likely at L4 (TCP level) as there are a few security scan solutions that will only test at L4. We cannot block a weak cipher at L4 (TCP level). Since weak ciphers are only used by old web browser versions, blocking at the L7 level should mitigate any security concerns since those will only use HTTP/L7.

Cause
Some security scan software applications only check weak ciphers at the L4 level.

recommendation-more-help

3d58f420-19b5-47a0-a122-5c9dab55ec7f