I have a security certificate (certify the web) but when I look at a site that has this certificate it says:
'Connection - obsolete connection settings
The connection to this site is encrypted and authenticated using TLS 1.2, ECDHE_RSA with X25519, and AES_256_CBC with HMAC-SHA1.
- AES_256_CBC is obsolete. Enable AES-GCM-based cipher suite.
How do I fix this? Is it a case of checking for updates and installing them? I see there is a version 5.6.8 available.
I am currently on Version 22.214.171.124
I look forward to your reply.
Thanks in advance.
The issue is your current TLS protocol/cipher suites enabled on your server, which Certify does not reconfigure for you. Certify The Web just helps acquire and renew your tls/ssl certificates. You are on an Certify old version so I’d recommend you upgrade if you can but that’s not the cause of this issue.
You don’t mentioned which version of Windows you are running but I’m guessing it older (like 2012 or even 2008 R2). I recommend using the best practises mode of Nartac Software - IIS Crypto which is a free tool to configure the various registry settings for TLS protocol and cipher suites. You need to restart after applying the recommended settings.
Over the years, certain combinations of TLS become considered insecure (either theirs a flaw in the algorithm or they’re too easy to crack etc). So settings that were good years ago are often no longer good enough.
Note that the settings and support vary by operating system (different operating system version support different protocols and cipher suites) so there may be more to do once you have applied these settings.