Get a prompt and clear overview of your security configuration. Right now!
CECPQ1 (Combined Elliptic-Curve and Post-Quantum 1)
The combined elliptic-curve and post-quantum 1[399][400][401] is a post-quantum cryptography[158][159] key exchange[133] algorithm developed by Google, LLC[465][466] to resist against quantum computing[167] attacks. The Transport Layer Security[234] combines X25519[451], based on elliptic curve[116][117] Curve25519[283], and NewHope[439][440][441][442] Elliptic-curve Diffie–Hellman[114][115] algorithms. It provides forward secrecy[127][128][129][130], and does protect past sessions against future compromises. If long-term secret keys or passwords are compromised, encrypted communications and sessions recorded in the past cannot be retrieved and decrypted.
Always prefer cipher suites with PFS property over the non-PFS ones. Note that performance considerations implies preferring Ephemeral Elliptic-curve Diffie–Hellman[432][433] over Ephemeral Diffie-Hellman[405][406][407][408]. Consider the fact that combined elliptic-curve and post-quantum 1[399][400][401] was succeeded by combined elliptic-curve and post-quantum 2[402][403].
128
The symmetric key[185][186][187] withkey size[184] more than 128 bits as it is should be according to National Institute of Standards and Technology[470][471] so it is not vulnerable to preimage attack[67] and it cannreliably prove that message came from the stated sender (its authenticity) and has not been changed, so connection is not open for a man-in-the-middle attack[61].
Remove the cipher suite from the list of cipher suites supported by your server.
POLY1305
message authentication code[135][136][137][138] is a message authentication code based on universal hashing[150][151][152][153] which is considered secure. It provides authenticated encryption[74] which simultaneously assure the confidentiality[91][92][93] and authenticity[75][76][77] of data. Together with stream cipher[182][183] ChaCha20ChaCha20-Poly1305[328][329][330] gives better performance on mobile devices under the same conditions of security.
If your application or requirements specifically call for the use of a message authentication code[135][136][137][138] that does not provide authenticated encryption[74] prefer block cipher mode of operation[82][83][84][85][86] (eg: counter with CBC-MAC[32][33][34], Galois/Counter Mode[46][47][48][49] or message authentication code[135][136][137][138] (eg: Poly1305[458][459]) that proved authenticated encryption over the ones which does not provide it. In case of a hashed message authentication code[139][140][141][142][143][144][145] prefer message authentication code[135][136][137][138] based on Secure Hash Algorithm 2[212][213][214] over the ones based on Secure Hash Algorithm 1[202][203][204].
