How to disable CBC-mode ciphers

You can use !SHA1:!SHA256:!SHA384 to disable all CBC mode ciphers. There are some non-CBC false positives that will also be disabled (RC4, NULL), but you probably also want to disable them anyway.

Note that while GCM and CHACHA20 ciphers have SHA* in their name, they're not disabled because they use their own MAC algorithm. The SHA* in their name is for the PRF, not the MAC


I've spent a fair amount of time over the last couple of days trying to get a perfect list for ssllabs. Thanks in part to this, here's what works:

SSLCipherSuite ALL:!RSA:!CAMELLIA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SHA1:!SHA256:!SHA384

According to the list of Cipher Strings given in the documentation (man ciphers) there is no string describing all CBC ciphers. This means there is no simple way to disable all of these (and only these) with a simple !CBC or similar.

Tags:

Openssl

Cipher Selection

Related

Why do some people think linux machine accounts with passwords are more secure than accounts without passwords? MacOS Ransomware with EFI Lock How to encypt sensitive data in database of a web app? How to use YubiKey through GnuPG on remote server? PayPal payment reversal; scammer at work? Privacy: can my employer access sensitive information if they pay my mobile subscription? I bought the hardware myself Understanding a TLS 1.3 0-RTT replay attack Should a vulnerability in a service that is present on the device, but not running and not used at all, be mentioned in the vulnerability report? Does the X-Permitted-Cross-Domain-Policies header have any benefit for my website if I'm not using Adobe products? HTTP Digest Authentication: Does the server store plaintext passwords? Someone is trying to access my mail account, what safe actions can I take? Are encrypted Cookies vulnerable to Padding Oracle Attacks

Recent Posts