To disable CBC ciphers

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

To disable CBC ciphers

Kaushal Shriyan-2
Hi,

I have the below ssl settings in nginx.conf file and VAPT test has reported us to disable CBC ciphers

ssl_ciphers HIGH:!aNULL:!MD5:!DH+3DES:!kEDH;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

openssl version on the box is OpenSSL 1.0.2k-fips 26 Jan 2017 on CentOS Linux release 7.3.1611 (Core)

I will appreciate if someone can pitch in to help me understand to disable CBC ciphers

Best Regards

Kaushal

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: To disable CBC ciphers

Murugesh
Hi,

You may list down what ciphers configured : "openssl ciphers"
Choose CBC ciphers and add them to the list of 'ssl_ciphers' with "!"
prefix appended to current ssl_ciphers.

> ssl_ciphers HIGH:!aNULL:!MD5:!DH+3DES:!kEDH:!AAA_CBC_BBB:

Ref: https://serverfault.com/questions/692119/meaning-of-ssl-ciphers-line-on-nginx-conf

Thanks,
Murugesh P.


On 10/17/18, Kaushal Shriyan <[hidden email]> wrote:

> Hi,
>
> I have the below ssl settings in nginx.conf file and VAPT test has reported
> us to disable CBC ciphers
>
> ssl_ciphers HIGH:!aNULL:!MD5:!DH+3DES:!kEDH;
>> ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
>
>
> openssl version on the box is OpenSSL 1.0.2k-fips 26 Jan 2017 on CentOS
> Linux release 7.3.1611 (Core)
>
> I will appreciate if someone can pitch in to help me understand to disable
> CBC ciphers
>
> Best Regards
>
> Kaushal
>
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: To disable CBC ciphers

Kaushal Shriyan-2


On Wed, Oct 17, 2018 at 7:00 PM murugesh pitchaiah <[hidden email]> wrote:
Hi,

You may list down what ciphers configured : "openssl ciphers"
Choose CBC ciphers and add them to the list of 'ssl_ciphers' with "!"
prefix appended to current ssl_ciphers.

> ssl_ciphers HIGH:!aNULL:!MD5:!DH+3DES:!kEDH:!AAA_CBC_BBB:

Ref: https://serverfault.com/questions/692119/meaning-of-ssl-ciphers-line-on-nginx-conf

Thanks,
Murugesh P.


On 10/17/18, Kaushal Shriyan <[hidden email]> wrote:
> Hi,
>
> I have the below ssl settings in nginx.conf file and VAPT test has reported
> us to disable CBC ciphers
>
> ssl_ciphers HIGH:!aNULL:!MD5:!DH+3DES:!kEDH;
>> ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
>
>
> openssl version on the box is OpenSSL 1.0.2k-fips 26 Jan 2017 on CentOS
> Linux release 7.3.1611 (Core)
>
> I will appreciate if someone can pitch in to help me understand to disable
> CBC ciphers
>
> Best Regards
>
> Kaushal
>
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Thanks Murugesh. I did checked openssl ciphers https://www.openssl.org/docs/man1.0.2/apps/ciphers.html and could not see 
!AAA_CBC_BBB as mentioned in your email. 

ssl_ciphers HIGH:!aNULL:!MD5:!DH+3DES:!kEDH:!AAA_CBC_BBB:

Correct me if i am understanding it wrong. Basically i want to disable Cipher Block Chaining (CBC) mode cipher encryption. Openssl and OS version are as below :-

openssl version on the box is OpenSSL 1.0.2k-fips 26 Jan 2017 on CentOS
Linux release 7.3.1611 (Core)

Any tools which i can run to find out vulnerabilities in the above openssl and OS version? Please guide and i look forward to hearing from you. Thanks in Advance.

Best Regards,

Kaushal

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: To disable CBC ciphers

OpenSSL - User mailing list
On 20/10/2018 15:59, Kaushal Shriyan wrote:

>
>
> On Wed, Oct 17, 2018 at 7:00 PM murugesh pitchaiah
> <[hidden email] <mailto:[hidden email]>>
> wrote:
>
>     Hi,
>
>     You may list down what ciphers configured : "openssl ciphers"
>     Choose CBC ciphers and add them to the list of 'ssl_ciphers' with "!"
>     prefix appended to current ssl_ciphers.
>
>     > ssl_ciphers HIGH:!aNULL:!MD5:!DH+3DES:!kEDH:!AAA_CBC_BBB:
>
>     Ref:
>     https://serverfault.com/questions/692119/meaning-of-ssl-ciphers-line-on-nginx-conf
>
>     Thanks,
>     Murugesh P.
>
>
>     On 10/17/18, Kaushal Shriyan <[hidden email]
>     <mailto:[hidden email]>> wrote:
>     > Hi,
>     >
>     > I have the below ssl settings in nginx.conf file and VAPT test
>     has reported
>     > us to disable CBC ciphers
>     >
>     > ssl_ciphers HIGH:!aNULL:!MD5:!DH+3DES:!kEDH;
>     >> ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
>     >
>     >
>     > openssl version on the box is OpenSSL 1.0.2k-fips 26 Jan 2017 on
>     CentOS
>     > Linux release 7.3.1611 (Core)
>     >
>     > I will appreciate if someone can pitch in to help me understand
>     to disable
>     > CBC ciphers
>     >
>
>
> Thanks Murugesh. I did checked openssl ciphers
> https://www.openssl.org/docs/man1.0.2/apps/ciphers.html and could not see
> !AAA_CBC_BBB as mentioned in your email.
>
>     ssl_ciphers HIGH:!aNULL:!MD5:!DH+3DES:!kEDH:!AAA_CBC_BBB:
>
>
> Correct me if i am understanding it wrong. Basically i want to disable
> Cipher Block Chaining (CBC) mode cipher encryption. Openssl and OS
> version are as below :-
>
>     openssl version on the box is OpenSSL 1.0.2k-fips 26 Jan 2017 on
>     CentOS
>     Linux release 7.3.1611 (Core)
>
>
> Any tools which i can run to find out vulnerabilities in the above
> openssl and OS version? Please guide and i look forward to hearing
> from you. Thanks in Advance.
You need to replace AAA and BBB with actual strings corresponding to
each of the unwanted cipher suites.

The advisor that tells you to disable "CBC ciphers" is mostly wrong.
There is nothing inherently bad about correctly using ciphers in CBC
mode, however some TLS protocol versions happen to use CBC cipher
suites in a problematic way, while having no secure non-CBC cipher
suites.  More recent TLS versions (such as TLS 1.2) have less
problematic (but not perfect) CBC usage and also offers some
overhyped US government ciphers such as the AES_GCM family.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users