How to disable cipher CBC on apache 2.4 on centos 7

Question

Halo all,

I would like to disable cipher CBC on apache2.4 because when I did penetration test my SSL configure with kali linux (using ./testssl -U mydomain.com), I got some notification like this picture below. pentest my ssl configure with testssl

I wish there is someone can help me to disable cipher CBC.

here my configure in /etc/httpd/conf.d/ssl.conf

SSLProtocol -All +TLSv1.1 +TLSv1.2

SSLCipherSuite HIGH:!aNULL:!eNULL:!kECDH:!aDH:!RC4:!3DES:!CAMELLIA:!MD5:!PSK:!SRP:!KRB5:@STRENGTH

Stackoverflow is for programming questions. Questions about apache server configuration are off-topic for Stack Overflow unless they directly involve tools used primarily for programming. You may be able to get help on Server Fault. — President James K. Polk

Eugène Adell Eugène Adell · Accepted Answer · 2018-02-24T12:15:42

According to the Apache user mailing list, this would give you an A+ on SSL Labs, thus reaching your goal :

ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS

How to disable cipher CBC on apache 2.4 on centos 7

1 Answers