Need help on strong ciphers/SSL Certificate for images to load

ssl
cards

#1

Hello Team,

Currently,the organization I work at is facing an issue with Twitter Cards. Here are the details about the issue - When we tried to test our website page with Twitter Card validator tool and it was returning “Fetching the page failed because of other errors.” We did further investigation and found that the issue could be related to our SSL certificate. When we verify the SSL certificate attributes we came to know that we are using the following list of strong ciphers:

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

TLS_DHE_RSA_WITH_AES_256_GCM_SHA256

Eventually, we found that the above-listed ciphers are not compatible with Twitter Card because Twitter Cards are using TLS_RSA_WITH_AES_256_CBC_SHA which seems a weak/old cipher. To confirm and validate this scenario, we revert back our cipher settings to “TLS_RSA_WITH_AES_256_CBC_SHA” and Twitter cards were working as expected.

As per our organization’s policy, we want to use the strong ciphers (as listed above) and want Twitter Cards should be functional. In our this is not possible at this moment so, could you please help us to know that by what duration Twitter cards will support the strong ciphers, especially above-mentioned ciphers?


#3

Hi @TheRudyMajid - Twitter’s web crawler currently supports the TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 cipher that you mentioned and explicitly disallows the TLS_RSA_WITH_AES_256_CBC_SHA cipher you say you’ve reverted to.

Could you please share an example URL which we can test against?


#4

Thanks for the response! Aurelia.

Unfortunately, we’re running a lot of social media campaigns and I am unable to revert it back and leave it for too long, as it would impact our campaigns since the twitter cards don’t populate when I revert back. However, I was able to do it momentarily and take some screenshots for you.

Attached is the ciphers that we ran (and want to run in the future). And then attached is the error we get when we post on Twitter.

Here is the ciphers we wanted to run:

Here is what happens:

So could you recommend a list of strong ciphers that we can use?


#5

@Aurelia any luck?


#6

Hello @TheRudyMajid - apologies for the delay, I completely missed your first response here. Thanks for providing these details. I’m looking into this and I’ll let you know when I have more information.


#7

@TheRudyMajid - Our team has used https://sha384.badssl.com/ to test the first cipher suite TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 and we can confirm we can establish a SSL handshake using this cipher. Looking at the SSLLabs report https://www.ssllabs.com/ssltest/analyze.html?d=sha384.badssl.com we can see that this domain also supports the cipher suites you listed. Our crawler doesn’t support any Ephemeral Diffie Hellman (DHE) ciphers, but does support the rest of the suggested secure cipher suites from https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices#23-use-secure-cipher-suites. Without having a live version of the problematic SSL configuration to test against, it will be hard to find out more info.

Please give these cipher suites a shot and let us know.


closed #8

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.