cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1989
Views
0
Helpful
2
Replies

Expressway Cipher Suite Syntax

wmelick
Level 1
Level 1

My Info Sec team wants to disable some specific TLS-RSA ciphers on our expressways which do not support forward secrecy.   I am not very familiar with the cipher suite syntax but was wondering if I can append a "-" and the specific cipher suites I want to disable?   For example, if I append ":-TLS-RSA-AES128-CBC-SHA:-TLS-RSA-AES128-CBC-SHA256" to the cipher suite, will that then disable these two specific ciphers?  I just want to make sure I have the correct syntax if this method will work.

2 Replies 2

Jonathan Schulenberg
Hall of Fame
Hall of Fame
These are expecting exact matches to OpenSSL documented ciphers. To my knowledge you can’t append/suffix any qualifiers.
https://www.openssl.org/docs/man1.0.2/apps/ciphers.html

wmelick
Level 1
Level 1

I couldn't quite get this working even with TAC support, but the closest I got was "HIGH:!EXP:!MD5:!RC4:!ADH:!EXP:!LOW:!3DES:!MD5:!aNULL:!eNULL:!AES128-SHA:!AES128-SHA256:!AES128-GCM-SHA256:!AES256-SHA256:!AES256-GCM-SHA384:@STRENGTH"  which our audit tool only listed as moderate vulnerabilities (no severe or critical).   The TLS-RSA ciphers were still being negotiated.   However since there is no CVE associated with these cipher suites, our Info Sec team was OK living with the moderate vulnerability.