How to disable CBC-mode ciphers
You can use !SHA1:!SHA256:!SHA384
to disable all CBC mode ciphers. There are some non-CBC false positives that will also be disabled (RC4
, NULL
), but you probably also want to disable them anyway.
Note that while GCM
and CHACHA20
ciphers have SHA*
in their name, they're not disabled because they use their own MAC algorithm. The SHA*
in their name is for the PRF, not the MAC
I've spent a fair amount of time over the last couple of days trying to get a perfect list for ssllabs. Thanks in part to this, here's what works:
SSLCipherSuite ALL:!RSA:!CAMELLIA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SHA1:!SHA256:!SHA384
According to the list of Cipher Strings given in the documentation (man ciphers) there is no string describing all CBC ciphers. This means there is no simple way to disable all of these (and only these) with a simple !CBC
or similar.