Problem

• API Gateway default TLS cipher settings may allow ciphers that use CBC, such as OpenSSL cipher name ECDHE-PSK-AES256-CBC-SHA384 (also known as TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384) (ex: Seen using 7.7.July20 and ciphers string: 'FIPS:!SSLv3:!aNULL')
• Is there an Openssl ciphers command that disables all CBC ciphers, similar to the '!SSLv3' string that disables all SSL v3 ciphers?

Resolution

There is not a specific OpenSSL cipher directive that will disable all CBC ciphers. But, it looks like it can be accomplished by adding ':!SHA1:!SHA256:!SHA384' to the end of your existing ciphers strings. ex: 'FIPS:!SSLv3:!aNULL:!SHA1:!SHA256:!SHA384'

Please use the openssl ciphers command to verify your planned cipher string change allows an adequate number of ciphers that balance your security and client interoperability needs.

--------------

See sections on API GW inbound and outbound SSL configuration at: https://docs.axway.com/bundle/axway-open-docs/page...

See section "Configure Advanced SSL settings" at: https://docs.axway.com/bundle/axway-open-docs/page...

For further background, please see this older KB that shows changing cipher strings for inbound and outbound TLS connections, and how to use the "vrun openssl ciphers" command to test different cipher strings. KB 176529