I have a web API hosted by a simple ASP.Core application using the Kestrel webserver. The webserver runs in a plain ASP.Core docker container under Ubuntu linux (there is no IIS installation).
We use the SSL Server Test to determine if the SSL configuration is considered secure: https://www.ssllabs.com/ssltest/index.html
Currently we get the F- rating (the worst, which kinda sucks).
We only enable TLS 1.2 which is good, but apparantly our TLS 1.2 configuration supports the following cipher suits which are considered very insecure:
This server supports anonymous (insecure) suites (see below for details). Grade set to F.
TLS_ECDH_anon_WITH_AES_256_CBC_SHA (0xc019) INSECURE 256 TLS_ECDH_anon_WITH_AES_128_CBC_SHA (0xc018) INSECURE 128
How can I disable these ciphering mechanisms on the Kestrel webserver running in a container? Preferably by adding code to the application so we can still be configuration independant.
I have already disabled insecure SSLv3, TLS 1.0 and TLS 1.1 by adding the following code:
httpsOptions.SslProtocols = System.Security.Authentication.SslProtocols.Tls12;
The solution was to upgrade from ASP Core 2.2 to ASP Core 3.0-preview8.
This issue is fixed in ASP Core 3.0-preview6 and newer. By default the insecure cipher suits are disabled now. SSL test grade went from F to B without changing the code. See details about the Kestrel cipher suits here: https://github.com/aspnet/AspNetCore/issues/9349
ASP Core 3.0-preview8 is regarded as production-stable and migrating the server from 2.2 was easy (even with the IdentityServer4 library dependency). Here are the instructions we followed to migrate the server: https://learn.microsoft.com/en-us/aspnet/core/migration/22-to-30