Deprecated SSL and Weak Ciphers


A vulnerability scan of a Linux server running the LDAP Proxy duoauthproxy will reveal the following vulnerabilities:

SSL/TLS: Deprecated SSLv2 and SSLv3 Protocol Detection
In addition to TLSv1.0+ the service is also providing the deprecated SSLv3 protocol and supports one or more ciphers. Those supported ciphers can be found in the ‘SSL/TLS: Report Weak and Supported Ciphers’ (OID: NVT.

SSL/TLS: Report Weak Cipher Suites
’Weak’ cipher suites accepted by this service via the TLSv1.2 protocol:

After checking over the configs and documentation, I am not finding the necessary settings to remove SSLV2/3 nor update the weak ciphers.

Is there and advanced setting or something I am missing?


Hi sd_dbray. At present, there is no option for customers to edit SSL/TLS configuration (both protocol versions and ciphersuites) in the Authentication Proxy.

We do plan to restrict SSL/TLS versions allowed by the proxy, but that is still a work-in-progress.


Thanks for the update, appreciate it.


Are there any updates on restricting SSL/TLS versions allowed by the proxy, our auditors are finding issues on some of our servers and want us to get these corrected.



Please contact Duo Support to discuss your auditor findings; we’d like more information.


I’m having the same issues with our security department’s scans flagging for weak ciphers. We’ve reached out to DUO support, but we keep getting replies with solutions to harden a web server (from links to commonly found articles via a Google search). Is there a particular subject I should put in a ticket to get my concerns/issues to the correct individual/team? Also, is there a time frame for when this will be addressed? Thanks much.