The BestPractices cipher set has been updated to remove two weak ciphers:
  • ECDHE-RSA-AES256-SHA384
  • ECDHE-RSA-AES128-SHA256

The above are the names used in OpenSSL and on the system. They are also known by the following names:

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

These ciphers are considered weak because of their use of CBC. In recent years, a set of attacks on CBC ciphers in SSL/TLS have been reported as well as timing and padding attacks.

Note that these ciphers remain available on the system and can be configured into a custom cipher set if required.