Last Updated: Dec 5, 2024
Overview
A security audit of applications in a public cloud tenant revealed that ‘weak’ TLS/SSL ciphers appear to be used to secure our Auth0 login page.
The following ‘weak’ ciphers were supported by the server and should be disabled:
- TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)
- TLS_RSA_WITH_AES_256_CBC_SHA (0x35)
- TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)
- TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028
This article clarifies why Auth0 supports these ciphers and whether there is any way to remove them.
Applies To
- TLS/SSL Ciphers
- Auth0 Login Page
Cause
The issue of ‘weak’ cipher suites for the public cloud is a source of legitimate concern. However, in practice, a balance between security and usability must be struck.
Using only a ‘strong’ set of ciphers might well break things for many customers and end-users, such as users of legacy smartphones.
Solution
There is no direct way to remove these ‘weak’ ciphers.
If this issue is of grave concern, then there is the option of deploying Custom Domains in conjunction with self-managed certificates: Configure Custom Domains with Self-Managed Certificates.
A custom domain, used in conjunction with self-managed certificates, will permit complete control over the termination of SSL/TLS connections and offers the ability to implement a preferred set of ciphers.
An alternative (though more expensive) option would be to migrate to a Private cloud instance.
If there are any technical questions about either of the above options, then please create a ticket via the Support Center or post a question to our Community forum.