On 20/10/2018 15:59, Kaushal Shriyan wrote:
On Wed, Oct 17, 2018 at 7:00 PM murugesh pitchaiah <murugesh.pitchaiah@xxxxxxxxx <mailto:murugesh.pitchaiah@xxxxxxxxx>> wrote:Hi, You may list down what ciphers configured : "openssl ciphers" Choose CBC ciphers and add them to the list of 'ssl_ciphers' with "!" prefix appended to current ssl_ciphers. > ssl_ciphers HIGH:!aNULL:!MD5:!DH+3DES:!kEDH:!AAA_CBC_BBB: Ref: https://serverfault.com/questions/692119/meaning-of-ssl-ciphers-line-on-nginx-conf Thanks, Murugesh P. On 10/17/18, Kaushal Shriyan <kaushalshriyan@xxxxxxxxx <mailto:kaushalshriyan@xxxxxxxxx>> wrote: > Hi, > > I have the below ssl settings in nginx.conf file and VAPT test has reported > us to disable CBC ciphers > > ssl_ciphers HIGH:!aNULL:!MD5:!DH+3DES:!kEDH; >> ssl_protocols TLSv1 TLSv1.1 TLSv1.2; > > > openssl version on the box is OpenSSL 1.0.2k-fips 26 Jan 2017 on CentOS > Linux release 7.3.1611 (Core) > > I will appreciate if someone can pitch in to help me understand to disable > CBC ciphers >Thanks Murugesh. I did checked openssl ciphers https://www.openssl.org/docs/man1.0.2/apps/ciphers.html and could not see!AAA_CBC_BBB as mentioned in your email. ssl_ciphers HIGH:!aNULL:!MD5:!DH+3DES:!kEDH:!AAA_CBC_BBB:Correct me if i am understanding it wrong. Basically i want to disable Cipher Block Chaining (CBC) mode cipher encryption. Openssl and OS version are as below :-openssl version on the box is OpenSSL 1.0.2k-fips 26 Jan 2017 on CentOS Linux release 7.3.1611 (Core)Any tools which i can run to find out vulnerabilities in the above openssl and OS version? Please guide and i look forward to hearing from you. Thanks in Advance.
You need to replace AAA and BBB with actual strings corresponding to each of the unwanted cipher suites. The advisor that tells you to disable "CBC ciphers" is mostly wrong. There is nothing inherently bad about correctly using ciphers in CBC mode, however some TLS protocol versions happen to use CBC cipher suites in a problematic way, while having no secure non-CBC cipher suites. More recent TLS versions (such as TLS 1.2) have less problematic (but not perfect) CBC usage and also offers some overhyped US government ciphers such as the AES_GCM family. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
