Why your A grade SSL is 'outdated cryptography' on Chrome

January 25, 2020

So you've installed your certificate, it doesn't use SHA1, your preferred cipher suites use forward secrecy, RC4 is disabled and your site gets an 'A' rating in the SSL Labs handshake test.

Then someone visits your site in Chrome and notices the following:

Your connection to example.com is encrypted with obsolete cryptography.

While SHA1 deprecation gets all the attention, it's also worth noting that Chrome has added other new crypto warnings. From the Chrome developers:

“Your connection to example.com is encrypted with obsolete cryptography” means that the connection to the current website is using an outdated cipher suite.

In order for the message to indicate “modern cryptography”, the connection should use forward secrecy and either AES-GCM or CHACHA20_POLY1305. Other cipher suites are known to have weaknesses. Most servers will wish to negotiate TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256.

OpenSSL doesn't support CHACHA20_POLY1305 yet so we're going to focus on AES-GCM for now.

GCM is a block cipher mode. The are other, weaker, block cipher modes:

  • CBC, which is still default in many crypto apps
  • Others like ECB which are rarer because their flaws are more widely known

Here's something important: OpenSSL doesn't use the IANA standard cipher suite names that Google uses: what openssl calls AES256-SHA is what the rest of the industry calls TLS_RSA_WITH_AES_256_CBC_SHA. In other words:

OpenSSL won't necessarily show 'CBC' in a cipher suite name even if that cipher suite uses CBC

Thankfully:

  • you can look up the OpenSSL documentation to convert the IANA names to the OpenSSL names.
  • OpenSSL names for GCM ciphers do actually include 'GCM'. The cipher suite TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 mentioned by Google above is called ECDHE-RSA-AES128-GCM-SHA256 in OpenSSL.

So, to fix the warning:

Move GCM cipher suites to the top of of your cipher suite list to avoid the obsolete cryptography warning

In most cases you shouldn't need to do this yourself:

AWS ELB, nginx, HAProxy and Apache HTTPd users

Use Mozilla's Server Side TLS project, which will generate a config that incorporates this logic.

node.js users

For node.js: we've added these defaults to the next version of node. You can grab the cipher list from that commit today and use it on existing node or iojs apps to fix the warning.