Welcome! Log In Create A New Profile

Advanced

nginx weak cipher disabled but still in use

Posted by jou_ 
nginx weak cipher disabled but still in use
August 12, 2024 10:02AM
I'm trying to remove DES-CBC3-SHA cipher from nginx config. This is the part of nginx config where !DES is commented out so technically ES-CBC3-SHA should not be used at all.

ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;

The service was obviously restarted.

When running 'openssl ciphers' command DES cipher is not displayed. Also when I do openssl s_client -connect command with TLS_RSA_WITH_3DES_EDE_CBC_SHA or TLS_RSA_3DES_EDE_CBC_SHA1 cipher I have connection error (SSL_CTX_set_cipher_list:no cipher match:ssl/ssl_lib.c:2566:) so it seems everything work properly.

However! when doing SSL Server test I still see TLS_RSA_WITH_3DES_EDE_CBC_SHA as being used. It also works when I do openssl s_client -connect command with DES-CBC3-SHA instead of TLS_RSA_WITH_3DES_EDE_CBC_SHA. Why is that? What's causing this difference?

IANA name: TLS_RSA_WITH_3DES_EDE_CBC_SHA OpenSSL name: DES-CBC3-SHA GnuTLS name: TLS_RSA_3DES_EDE_CBC_SHA1
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 116
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready