I'm trying to remove DES-CBC3-SHA cipher from nginx config. This is the part of nginx config where !DES is commented out so technically ES-CBC3-SHA should not be used at all.
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
The service was obviously restarted.
When running 'openssl ciphers' command DES cipher is not displayed. Also when I do openssl s_client -connect command with TLS_RSA_WITH_3DES_EDE_CBC_SHA or TLS_RSA_3DES_EDE_CBC_SHA1 cipher I have connection error (SSL_CTX_set_cipher_list:no cipher match:ssl/ssl_lib.c:2566:) so it seems everything work properly.
However! when doing SSL Server test I still see TLS_RSA_WITH_3DES_EDE_CBC_SHA as being used. It also works when I do openssl s_client -connect command with DES-CBC3-SHA instead of TLS_RSA_WITH_3DES_EDE_CBC_SHA. Why is that? What's causing this difference?
IANA name: TLS_RSA_WITH_3DES_EDE_CBC_SHA OpenSSL name: DES-CBC3-SHA GnuTLS name: TLS_RSA_3DES_EDE_CBC_SHA1