I have apache http server with below ciphers in the cipherSuite. After a scan I found some of the ciphers(CBC) are weak and need to be removed. But I am unable to identify which of them are actually CBC. Can you please help?
FYI - Versions are
Apache 2.4.23; openssl 1.0.2h; RHEL7
SSLCipherSuite:
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384: ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256: ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256: ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384: ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256: DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256: DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384: AES128-SHA256:AES256-SHA256:AES:DES-CBC3-SHA: !aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA: !EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!3DES
CBC ciphers causing vulnerability: How to identify these in above suite? * TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A*
I found some ciphers with "CBC3", but when I remove them Apache is not responding for https requests.
Any cipher with
CBCin the name is a CBC cipher and can be removed. For improved security, you should also sort the ciphers from strongest to weakest and setSSLHonorCipherOrder onandSSLProtocol all -SSLv3in your config.Mozilla has a neat tool for generating secure webserver configurations that you might find useful, notably the modern cipher suite configuration for your Apache and OpenSSL version. After that, try the Qualsys SSL Labs Test to see how you did.