What are weak cipher suites and how do I fix them?

Overview

Weak cipher suites are outdated or insecure TLS encryption algorithms that can reduce encryption strength and enable cryptographic attacks. The scanner reports weak cipher suites when a service supports algorithms such as weak RSA, 3DES, RC4, or CBC-based suites.

Using weak cipher suites may also violate compliance requirements from NIST, PCI-DSS, or ISO 27001.

Verify Weak Cipher Suites

To check which cipher suites a service currently offers, run the following command from a trusted system:

nmap --script ssl-enum-ciphers -p <ports> <target-ip>

This command displays the TLS versions supported by the service and the available cipher suites on those ports.

Application TLS vs Operating System TLS

Services running on affected ports may use their own TLS stack (such as OpenSSL or BoringSSL) instead of the operating system default (such as Windows SCHANNEL).

If the service uses its own TLS stack, operating system-level TLS and cipher settings will not take effect. In this case, weak ciphers must be disabled in the application or service configuration.

Disable Weak Cipher Suites

1. Disable weak ciphers in the operating system or application configuration, depending on which TLS stack the service uses.
2. Restart the affected service.
3. Run the nmap command again to confirm weak ciphers are no longer offered.
4. Re-scan using your network scan profile to verify the issue is resolved.