(Please do not close it. It is not duplicate of SSLCipherSuite - disable weak encryption, cbc cipher and md5 based algorithm)
I use Apache 2.2. I have started to get the following message from the scanner:
Configure SSL/TLS servers to only use TLS 1.1 or TLS 1.2 if supported.
Configure SSL/TLS servers to only support cipher suites that do not use block ciphers. Apply patches if available.
Unfortunately I can not use TLS 1.1 version ( I plan to do it only in the next major version).
I want to block CBC ciphers but I did not success to do it.
I configured the following ciphers but it did not help:
SSLCipherSuite HIGH:!ADH:!MD5:-EDH-RSA-DES-CBC3-SHA:-EDH-DSS-DES-CBC3-SHA:-DES-CBC3-SHA
How to prevent CBC ciphers while using TLS 1.0 in Apache?
Added
I have tested my environment with TestSSLServer as recommended at OWASP: https://www.owasp.org/index.php/Testing_for_Weak_SSL/TLS_Ciphers,_Insufficient_Transport_Layer_Protection_%28OTG-CRYPST-001%29
I get the following output:
Supported versions: TLSv1.0
Deflate compression: no
Supported cipher suites (ORDER IS NOT SIGNIFICANT):
TLSv1.0
RSA_WITH_3DES_EDE_CBC_SHA
DHE_RSA_WITH_3DES_EDE_CBC_SHA
RSA_WITH_AES_128_CBC_SHA
DHE_RSA_WITH_AES_128_CBC_SHA
RSA_WITH_AES_256_CBC_SHA
DHE_RSA_WITH_AES_256_CBC_SHA
RSA_WITH_CAMELLIA_128_CBC_SHA
DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
RSA_WITH_CAMELLIA_256_CBC_SHA
DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
I can see only CBC ciphers!
Is it possible to prevent CBC ciphers while using TLS 1.0 in Apache?
Follow the SSLLabs or Mozilla TLS security config.
Example
As far as i know, there is no option to disable CBC and onther "weak" cipher elements (RC4, etc) and still using TLSv1 or even TLSv1.1. I hope I'm wrong, but I don't think so.
Here was my question about similar problem and link to OpenSSL site: SSL config for web server compatible with PCI-DSS requirements about disabling CBC and TLSv1.0