Disable ciphers suites which utilize SHA-1 message authentication and/or DH or DHE key exchanges

We host a website for a customer who has reported an issue in the ciphers suite being used for TLS in their website. The said customer is a financial institution. I have attached their assessment of the issue at the bottom.

This link (Ciphers - How to configure) suggests Netlify will update its Cipher suite. Another thread suggested deployed a custom SSL certificate. We use Netlify as a “managed” platform for automatically deploying generated websites. Do you have a suggested way to fix this issue?

------- Our customer’s assessment report ----



Remediate Security Vulnerability on XXXXX.com/ found by WAVM: Insufficient Transport Layer Protection

SHA-1 The TLS endpoint supports the use of ciphers with SHA-1 message authentication. #### Attack Details Date: 2020-03-01 18:12:10.481406765 +0000 UTC Target: XXXXX.com:443 IP Address: Supported ciphers: RFC Code Key Enc Bits Mac Protocol(s) Legend TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA [0xC014] ECDH AES 256 SHA1 TLS1.2 SHA TLS_RSA_WITH_AES_256_CBC_SHA [0x0035] RSA AES 256 SHA1 TLS1.2 SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA [0xC013] ECDH AES 128 SHA1 TLS1.2 SHA TLS_RSA_WITH_AES_128_CBC_SHA [0x002F] RSA AES 128 SHA1 TLS1.2 SHA

Vulnerability URLs

Solution Disable ciphers suites which utilize SHA-1 message authentication and/or DH or DHE key exchanges.

I don’t think a custom certificate will help. There has been a lot of work done on the upgrade to the new CDN software version that is blocking the config change, but it is still not ready for production. I’ll follow up here when things change!

We have an update for you on this topic. Back in May we updated our cipher suites. Would you please re-run your test and let us know how its looking now? Thank you!