How to disable CBC-mode ciphers

You can use !SHA1:!SHA256:!SHA384 to disable all CBC mode ciphers. There are some non-CBC false positives that will also be disabled (RC4, NULL), but you probably also want to disable them anyway.

Note that while GCM and CHACHA20 ciphers have SHA* in their name, they're not disabled because they use their own MAC algorithm. The SHA* in their name is for the PRF, not the MAC

I've spent a fair amount of time over the last couple of days trying to get a perfect list for ssllabs. Thanks in part to this, here's what works:


According to the list of Cipher Strings given in the documentation (man ciphers) there is no string describing all CBC ciphers. This means there is no simple way to disable all of these (and only these) with a simple !CBC or similar.