Dec 16, 2019

How To Disable Weak CBC SSL Ciphers in Nginx

I'm always looking for ways to improve my encryption settings on my personal email server. I'm constantly checking SSL Labs to see how my configuration stacks up. For a little while now they have been complaining that I use weak CBC ciphers still in TLS 1.2. However, since they have continued to give me an A+ rating I didn't really care until today.

I decided to fix it by disabling those ciphers, and it's actually pretty easy. The answer on how to do it comes from user imgx64 on Stack Exchange in this thread where he says all you have to do is add a couple of extra items near the end of your ssl_ciphers portion of your ssl.tmpl config file in Nginx:

You can use !SHA1:!SHA256:!SHA384 to disable all CBC mode ciphers. There are some non-CBC false positives that will also be disabled (RC4, NULL), but you probably also want to disable them anyway. 
Note that while GCM and CHACHA20 ciphers have SHA* in their name, they're not disabled because they use their own MAC algorithm. The SHA* in their name is for the PRF, not the MAC
I changed my ssl_ciphers string from:




After I made that change and restarted the Nginx service my SSL Labs report went from this:


Simple right? Did this help you out? Let us know in the comments!

Twitter Delicious Facebook Digg Stumbleupon Favorites More

Design by Free WordPress Themes | Bloggerized by Lasantha - Premium Blogger Themes | stopping spam