(Please do not close it. It is not duplicate of SSLCipherSuite – disable weak encryption, cbc cipher and md5 based algorithm)
I use Apache 2.2.
I have started to get the following message from the scanner:
Configure SSL/TLS servers to only use TLS 1.1 or TLS 1.2 if supported.
Configure SSL/TLS servers to only support cipher suites that do not use block ciphers. Apply patches if available.
Unfortunately I can not use TLS 1.1 version ( I plan to do it only in the next major version).
I want to block CBC ciphers but I did not success to do it.
I configured the following ciphers but it did not help:
SSLCipherSuite HIGH:!ADH:!MD5:-EDH-RSA-DES-CBC3-SHA:-EDH-DSS-DES-CBC3-SHA:-DES-CBC3-SHA
How to prevent CBC ciphers while using TLS 1.0 in Apache?
Added
I have tested my environment with TestSSLServer as recommended at OWASP:
https://www.owasp.org/index.php/Testing_for_Weak_SSL/TLS_Ciphers,_Insufficient_Transport_Layer_Protection_%28OTG-CRYPST-001%29
I get the following output:
Supported versions: TLSv1.0
Deflate compression: no
Supported cipher suites (ORDER IS NOT SIGNIFICANT):
TLSv1.0
RSA_WITH_3DES_EDE_CBC_SHA
DHE_RSA_WITH_3DES_EDE_CBC_SHA
RSA_WITH_AES_128_CBC_SHA
DHE_RSA_WITH_AES_128_CBC_SHA
RSA_WITH_AES_256_CBC_SHA
DHE_RSA_WITH_AES_256_CBC_SHA
RSA_WITH_CAMELLIA_128_CBC_SHA
DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
RSA_WITH_CAMELLIA_256_CBC_SHA
DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
I can see only CBC ciphers!
Is it possible to prevent CBC ciphers while using TLS 1.0 in Apache?
Best Answer
Follow the SSLLabs or Mozilla TLS security config.
Example