[openssl-users] To disable CBC ciphers

Jakob Bohm jb-openssl at wisemo.com
Mon Oct 22 13:34:20 UTC 2018 

On 20/10/2018 15:59, Kaushal Shriyan wrote:
>
>
> On Wed, Oct 17, 2018 at 7:00 PM murugesh pitchaiah 
> <murugesh.pitchaiah at gmail.com <mailto:murugesh.pitchaiah at gmail.com>> 
> wrote:
>
>     Hi,
>
>     You may list down what ciphers configured : "openssl ciphers"
>     Choose CBC ciphers and add them to the list of 'ssl_ciphers' with "!"
>     prefix appended to current ssl_ciphers.
>
>     > ssl_ciphers HIGH:!aNULL:!MD5:!DH+3DES:!kEDH:!AAA_CBC_BBB:
>
>     Ref:
>     https://serverfault.com/questions/692119/meaning-of-ssl-ciphers-line-on-nginx-conf
>
>     Thanks,
>     Murugesh P.
>
>
>     On 10/17/18, Kaushal Shriyan <kaushalshriyan at gmail.com
>     <mailto:kaushalshriyan at gmail.com>> wrote:
>     > Hi,
>     >
>     > I have the below ssl settings in nginx.conf file and VAPT test
>     has reported
>     > us to disable CBC ciphers
>     >
>     > ssl_ciphers HIGH:!aNULL:!MD5:!DH+3DES:!kEDH;
>     >> ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
>     >
>     >
>     > openssl version on the box is OpenSSL 1.0.2k-fips 26 Jan 2017 on
>     CentOS
>     > Linux release 7.3.1611 (Core)
>     >
>     > I will appreciate if someone can pitch in to help me understand
>     to disable
>     > CBC ciphers
>     >
>
>
> Thanks Murugesh. I did checked openssl ciphers 
> https://www.openssl.org/docs/man1.0.2/apps/ciphers.html and could not see
> !AAA_CBC_BBB as mentioned in your email.
>
>     ssl_ciphers HIGH:!aNULL:!MD5:!DH+3DES:!kEDH:!AAA_CBC_BBB:
>
>
> Correct me if i am understanding it wrong. Basically i want to disable 
> Cipher Block Chaining (CBC) mode cipher encryption. Openssl and OS 
> version are as below :-
>
>     openssl version on the box is OpenSSL 1.0.2k-fips 26 Jan 2017 on
>     CentOS
>     Linux release 7.3.1611 (Core)
>
>
> Any tools which i can run to find out vulnerabilities in the above 
> openssl and OS version? Please guide and i look forward to hearing 
> from you. Thanks in Advance.
You need to replace AAA and BBB with actual strings corresponding to
each of the unwanted cipher suites.

The advisor that tells you to disable "CBC ciphers" is mostly wrong.
There is nothing inherently bad about correctly using ciphers in CBC
mode, however some TLS protocol versions happen to use CBC cipher
suites in a problematic way, while having no secure non-CBC cipher
suites.  More recent TLS versions (such as TLS 1.2) have less
problematic (but not perfect) CBC usage and also offers some
overhyped US government ciphers such as the AES_GCM family.

Enjoy

Jakob
-- 
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

More information about the openssl-users mailing list