I need to remove support for weak servers on a site we host. This is a highly secured site where customer data is extremely sensitive and our customers and auditors require that we drop support for weak ciphers.
My challenge is that I don't know the best way to advise customers to make this change. They do not need to drop support for weak ciphers, as they may need to connect to other sites, but they do need to make sure that they can support strong ciphers. We know that we have a small percentage of customers that still negotiation TLS with a weak cipher to us.
So are ciphers only configured at the OS level? Is all TLS/cipher logic exclusively managed by the OS? Or, can custom apps (including browsers) contain their own TLS/cipher logic that bypasses OS configs and even use ciphers that aren't even installed on the OS? I've seen some discussions about changing ciphers within Chrome, but I can't find any authoritative statement about how this works or how it would interact with OS cipher configurations.
Thanks for any ideas!