Forum Discussion
Nimbostratusdisable CBC cipher
Hi guys,
I tried to disable below cipher (customer requirement): TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
even though I verified from cli that the configured cipher is not include this, but when I do the verification from qualys it still showing this cipher configured.
how to disable this cipher ?
Thanks in advance.
- Kevin_Stewart
Employee
How did you verify that it was excluded, and what did you do to exclude it?
Vikram_23_27012I verified from below cmd:
tmm --clientciphers 'DEFAULT:!AES:!SHA:!SSLv2:!EXPORT:!DHE+AES-GCM:!DHE+AES:ECDHE+AES-GCM:ECDHE+AES:-MD5:-SSLv3:-RC4:@STRENGTH:!SHA:!RSA+AES:!RSA:!AES128-CBC'
ID SUITE BITS PROT METHOD CIPHER MAC KEYX0: 49200 ECDHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDHE_RSA
1: 49196 ECDHE-ECDSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDHE_ECDSA
2: 49199 ECDHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_RSA
3: 49195 ECDHE-ECDSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_ECDSA
the particular string is applied on the ssl profile
DEFAULT:!AES:!SHA:!SSLv2:!EXPORT:!DHE+AES-GCM:!DHE+AES:ECDHE+AES-GCM:ECDHE+AES:-MD5:-SSLv3:-RC4:@STRENGTH:!SHA:!RSA+AES:!RSA:!AES128-CBC
and bound to the VIP
- Kevin_Stewart
A few thoughts.
-
It might be an anomalous indication. You could actually test for CBC support with a cURL request using a CBC cipher (only).
-
Given that you're specifying a very small, specific set of ciphers, it might be easier to simply list these in the cipher string:
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256
-
