[openssl-users] To disable CBC ciphers

Sat Oct 20 13:59:29 UTC 2018

On Wed, Oct 17, 2018 at 7:00 PM murugesh pitchaiah <
murugesh.pitchaiah at gmail.com> wrote:

> Hi,
>
> You may list down what ciphers configured : "openssl ciphers"
> Choose CBC ciphers and add them to the list of 'ssl_ciphers' with "!"
> prefix appended to current ssl_ciphers.
>
> > ssl_ciphers HIGH:!aNULL:!MD5:!DH+3DES:!kEDH:!AAA_CBC_BBB:
>
> Ref:
> https://serverfault.com/questions/692119/meaning-of-ssl-ciphers-line-on-nginx-conf
>
> Thanks,
> Murugesh P.
>
>
> On 10/17/18, Kaushal Shriyan <kaushalshriyan at gmail.com> wrote:
> > Hi,
> >
> > I have the below ssl settings in nginx.conf file and VAPT test has
> reported
> > us to disable CBC ciphers
> >
> > ssl_ciphers HIGH:!aNULL:!MD5:!DH+3DES:!kEDH;
> >> ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
> >
> >
> > openssl version on the box is OpenSSL 1.0.2k-fips 26 Jan 2017 on CentOS
> > Linux release 7.3.1611 (Core)
> >
> > I will appreciate if someone can pitch in to help me understand to
> disable
> > CBC ciphers
> >
> > Best Regards
> >
> > Kaushal
> >
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Thanks Murugesh. I did checked openssl ciphers
https://www.openssl.org/docs/man1.0.2/apps/ciphers.html and could not see
!AAA_CBC_BBB as mentioned in your email.

ssl_ciphers HIGH:!aNULL:!MD5:!DH+3DES:!kEDH:!AAA_CBC_BBB:

Correct me if i am understanding it wrong. Basically i want to disable
Cipher Block Chaining (CBC) mode cipher encryption. Openssl and OS version
are as below :-

openssl version on the box is OpenSSL 1.0.2k-fips 26 Jan 2017 on CentOS
> Linux release 7.3.1611 (Core)

Any tools which i can run to find out vulnerabilities in the above openssl
and OS version? Please guide and i look forward to hearing from you. Thanks
in Advance.

Best Regards,

Kaushal
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20181020/eadd2648/attachment.html>