Expressway Cipher Suite Syntax

wmelick · ‎01-09-2019

My Info Sec team wants to disable some specific TLS-RSA ciphers on our expressways which do not support forward secrecy. I am not very familiar with the cipher suite syntax but was wondering if I can append a "-" and the specific cipher suites I want to disable? For example, if I append ":-TLS-RSA-AES128-CBC-SHA:-TLS-RSA-AES128-CBC-SHA256" to the cipher suite, will that then disable these two specific ciphers? I just want to make sure I have the correct syntax if this method will work.

Jonathan Schulenberg · ‎01-13-2019

These are expecting exact matches to OpenSSL documented ciphers. To my knowledge you can’t append/suffix any qualifiers.
https://www.openssl.org/docs/man1.0.2/apps/ciphers.html

wmelick · ‎02-12-2019

I couldn't quite get this working even with TAC support, but the closest I got was "HIGH:!EXP:!MD5:!RC4:!ADH:!EXP:!LOW:!3DES:!MD5:!aNULL:!eNULL:!AES128-SHA:!AES128-SHA256:!AES128-GCM-SHA256:!AES256-SHA256:!AES256-GCM-SHA384:@STRENGTH" which our audit tool only listed as moderate vulnerabilities (no severe or critical). The TLS-RSA ciphers were still being negotiated. However since there is no CVE associated with these cipher suites, our Info Sec team was OK living with the moderate vulnerability.