Weak Ciphers Used on the Login Page

Overview

Security audits of applications can sometimes flag certain TLS/SSL ciphers used in the Auth0 login pages to be weak.

Here are some example ciphers:

  • TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)
  • TLS_RSA_WITH_AES_256_CBC_SHA (0x35)
  • TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)
  • TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028

This article clarifies why Auth0 supports these ciphers and whether there is any way to remove them.

Applies To

  • TLS/SSL Ciphers
  • Auth0 Login Page

Cause

Auth0 supports a relatively larger subset of cipher suites to strike a balance between security and usability.

Certain older devices do not support modern ciphers. Using only a ‘strong’ set of ciphers might well break things for many customers and end-users, such as users of legacy smartphones.

Solution

There is no direct way to change the ciphers supported in Auth0 login pages.

The following are the only two ways to remove these ciphers:

  1. Use Custom Domains in conjunction with self-managed certificates: Configure Custom Domains with Self-Managed Certificates. A custom domain, used in conjunction with self-managed certificates, will permit complete control over the termination of SSL/TLS connections and offer the ability to implement a preferred set of ciphers.
  2. Use Auth0 Private Cloud - There is more control over the ciphers used with Auth0 Private Cloud deployments. With the Auth0 public cloud, the options are limited to the self-managed Custom Domain solution above.

If there are any technical questions about either of the above options, please create a ticket via the Support Center or post a question to our Community forum.