How to disable CBC-mode ciphers

Question

Is there a simple allowlist-style way of disabling CBC mode cipher suites in apps that use an openssl cipher suite list? I'm hoping for something in the style of !RC4, however, !CBC has no effect, and still allows suites such as TLS_DHE_RSA_WITH_AES_128_CBC_SHA256.

The only solution I've found so far is to use a much more verbose allowlist that only includes non-CBC ciphers. Is there a simpler alternative?

Isn't there very very little left if you exclude CBC and non forward secure and limit to AES ciphers? I think all that's left then is like four (?) GCM ciphers, right? And you could well put that as a whitelist? — StackzOfZtuff, Aug 01 '17 at 20:01
Yes, it's true, it does end up being quite a short whitelist! Don't forget ChaCha20 though... — Synchro, Aug 01 '17 at 20:02
Today, the easiest way to disable CBC cipher suites would be to only allow TLS in version 1.3 or above. — A. Hersean, Jan 26 '22 at 08:41

score 34 · Answer 1 · answered Apr 22 '19 at 06:22

34

You can use !SHA1:!SHA256:!SHA384 to disable all CBC mode ciphers. There are some non-CBC false positives that will also be disabled (RC4, NULL), but you probably also want to disable them anyway.

Note that while GCM and CHACHA20 ciphers have SHA* in their name, they're not disabled because they use their own MAC algorithm. The SHA* in their name is for the PRF, not the MAC

answered Apr 22 '19 at 06:22

imgx64

1,370
2
13
10

3

This is necessary especially since CBC algorithms are now rated as weak. – Robidu Jul 22 '19 at 22:26
@imgx64 in which file and location in Nginx web server should I apply this? – Compaq LE2202x Nov 08 '21 at 09:19

score 13 · Answer 2 · edited Oct 27 '19 at 22:45

13

I've spent a fair amount of time over the last couple of days trying to get a perfect list for ssllabs. Thanks in part to this, here's what works:

SSLCipherSuite ALL:!RSA:!CAMELLIA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SHA1:!SHA256:!SHA384

edited Oct 27 '19 at 22:45

schroeder

123,438
55
284
319

answered Oct 27 '19 at 22:29

Bill Cheswick

231
2
3

3

This accomplishes A+ by disabling the four CBC mode equivalent ciphers and leaving four GCM. I use it and have received no adverse feedback. Qualys shows that all except a range of older devices and browsers are happy with this, but if you serve a wider range of clients, you may need to be more lenient and use something like `SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH`. – Chris Woods Jan 03 '20 at 14:36
This list still contains CBC ciphers: verify this with ```openssl ciphers -V -stdname EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH | grep CBC ``` – Cie6ohpa May 20 '21 at 15:17

score 11 · Accepted Answer · edited Feb 21 '22 at 13:44

11

According to the list of Cipher Strings given in the documentation (man ciphers) there is no string describing all CBC ciphers. This means there is no simple way to disable all of these (and only these) with a simple !CBC or similar.

edited Feb 21 '22 at 13:44

Community

1

answered Aug 01 '17 at 07:37

Steffen Ullrich

184,332
29
363
424

score 3 · Answer 4 · edited Oct 27 '19 at 22:45

3

The best SSL Ciphers and Protocols settings I found at https://cipherli.st/

With this you will get a Qualys A+ rating:

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM
# Requires Apache 2.4.36 & OpenSSL 1.1.1
SSLProtocol -all +TLSv1.3 +TLSv1.2

edited Oct 27 '19 at 22:45

schroeder

123,438
55
284
319

answered Aug 26 '19 at 12:15

ApolloDS

31
2

3

This is a whitelist, which I've already got - the question asks if there is a *blacklist* to disable all CBC-mode cipher suites. Also there is no such thing as a "best" cipher suite list, as it's very dependent on your prospective audience. – Synchro Aug 26 '19 at 12:18
Although @Synchro is formally correct ... after testing different variants in Qualys SSL Labs (not believing that a good solution could be as easy), I came to the conclusion that this has about exactly the same browser/OS coverage like more complex solutions, combined from black- and whitelists. – BurninLeo May 24 '21 at 09:41

score 1 · Answer 5 · answered Oct 05 '17 at 13:56

There is no way to do this directly, however you can script it a bit.

Let's say that your initial cipher suites string is !3DES:HIGH. (You should probably have a better cipher suites string to begin with, but that's a good starting point and won't clutter this answer too much.)

Now, do this:

$ openssl ciphers '!3DES:HIGH' \
    | sed -e 's/:/\n/g' \
    | grep -v GCM \
    | sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/:!/g' -e 's/^/!/'

Explanation, per line:

Start with the set of ciphers you "really" want
Split the :-separated list into one-per-line cipher suite
Remove anything that doesn't explicitly say GCM
Read the whole file in at once, replace newlines with :!, then add a ! at the very beginning

Now take this output and place it at the front of your cipher suite string. Don't throw-out your original, because you might want to re-run this process later when your initial cipher suites string changes, or if new ciphers are added to OpenSSL or even to their HIGH default list.

How to disable CBC-mode ciphers

5 Answers5