[openssl-users] To disable CBC ciphers

murugesh pitchaiah murugesh.pitchaiah at gmail.com
Wed Oct 17 13:29:21 UTC 2018


You may list down what ciphers configured : "openssl ciphers"
Choose CBC ciphers and add them to the list of 'ssl_ciphers' with "!"
prefix appended to current ssl_ciphers.

> ssl_ciphers HIGH:!aNULL:!MD5:!DH+3DES:!kEDH:!AAA_CBC_BBB:

Ref: https://serverfault.com/questions/692119/meaning-of-ssl-ciphers-line-on-nginx-conf

Murugesh P.

On 10/17/18, Kaushal Shriyan <kaushalshriyan at gmail.com> wrote:
> Hi,
> I have the below ssl settings in nginx.conf file and VAPT test has reported
> us to disable CBC ciphers
> ssl_ciphers HIGH:!aNULL:!MD5:!DH+3DES:!kEDH;
>> ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
> openssl version on the box is OpenSSL 1.0.2k-fips 26 Jan 2017 on CentOS
> Linux release 7.3.1611 (Core)
> I will appreciate if someone can pitch in to help me understand to disable
> CBC ciphers
> Best Regards
> Kaushal

More information about the openssl-users mailing list