OpenSSL How to Disable Ciphers

I need to disable certain ciphers on my Linux servers following a Nessus vulnerability assessment scan. The Nessus report lists specific weak and medium ciphers that it doesn't like. For instance, here are the medium ciphers I need to disable:
Medium Strength Ciphers (>= 56-bit and < 112-bit key)
EXP1024-DES-CBC-SHA Kx=RSA(1024) Au=RSA Enc=DES(56) Mac=SHA1 export
EXP1024-RC4-SHA Kx=RSA(1024) Au=RSA Enc=RC4(56) Mac=SHA1 export

I haven't been able to find much in the way of documentation as to how to do this. Some of what I have found doesn't seem to work. I came across this command that is supposed to enable only TLSv1/SSLv3 ciphers of 128 bits or higher, and disables all others, and then sorts them by strength so that the strongest ciphers would be tried first:
'openssl ciphers -v 'TLSv1+HIGH:!SSLv2:!aNULL:!eNULL:!3DES:@STRENGTH'' - when I run this command this is what I get back:
$ openssl ciphers -v 'TLSv1+HIGH:!SSLv2:!aNULL:!eNULL:!3DES:@STRENGTH'
DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-DSS-AES256-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA1
AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-DSS-AES128-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA1
AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1

However, if I then check to see what ciphers are enabled, it displays all the ciphers including the ones that I thought were disabled by the command above:
$ openssl ciphers -v 'ALL:eNULL'
ADH-AES256-SHA          SSLv3 Kx=DH       Au=None Enc=AES(256)  Mac=SHA1
DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-DSS-AES256-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA1
AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
ADH-AES128-SHA          SSLv3 Kx=DH       Au=None Enc=AES(128)  Mac=SHA1
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-DSS-AES128-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA1
AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
ADH-DES-CBC3-SHA        SSLv3 Kx=DH       Au=None Enc=3DES(168) Mac=SHA1
ADH-DES-CBC-SHA         SSLv3 Kx=DH       Au=None Enc=DES(56)   Mac=SHA1
EXP-ADH-DES-CBC-SHA     SSLv3 Kx=DH(512)  Au=None Enc=DES(40)   Mac=SHA1 export
ADH-RC4-MD5             SSLv3 Kx=DH       Au=None Enc=RC4(128)  Mac=MD5
EXP-ADH-RC4-MD5         SSLv3 Kx=DH(512)  Au=None Enc=RC4(40)   Mac=MD5  export
EDH-RSA-DES-CBC3-SHA    SSLv3 Kx=DH       Au=RSA  Enc=3DES(168) Mac=SHA1
EDH-RSA-DES-CBC-SHA     SSLv3 Kx=DH       Au=RSA  Enc=DES(56)   Mac=SHA1
EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512)  Au=RSA  Enc=DES(40)   Mac=SHA1 export
EDH-DSS-DES-CBC3-SHA    SSLv3 Kx=DH       Au=DSS  Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC-SHA     SSLv3 Kx=DH       Au=DSS  Enc=DES(56)   Mac=SHA1
EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512)  Au=DSS  Enc=DES(40)   Mac=SHA1 export
DES-CBC3-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=SHA1
DES-CBC-SHA             SSLv3 Kx=RSA      Au=RSA  Enc=DES(56)   Mac=SHA1
EXP-DES-CBC-SHA         SSLv3 Kx=RSA(512) Au=RSA  Enc=DES(40)   Mac=SHA1 export
EXP-RC2-CBC-MD5         SSLv3 Kx=RSA(512) Au=RSA  Enc=RC2(40)   Mac=MD5  export
RC4-SHA                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=SHA1
RC4-MD5                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5
EXP-RC4-MD5             SSLv3 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5  export
DES-CBC3-MD5            SSLv2 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=MD5
DES-CBC-MD5             SSLv2 Kx=RSA      Au=RSA  Enc=DES(56)   Mac=MD5
EXP-RC2-CBC-MD5         SSLv2 Kx=RSA(512) Au=RSA  Enc=RC2(40)   Mac=MD5  export
RC2-CBC-MD5             SSLv2 Kx=RSA      Au=RSA  Enc=RC2(128)  Mac=MD5
EXP-RC4-MD5             SSLv2 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5  export
RC4-MD5                 SSLv2 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5
NULL-SHA                SSLv3 Kx=RSA      Au=RSA  Enc=None      Mac=SHA1
NULL-MD5                SSLv3 Kx=RSA      Au=RSA  Enc=None      Mac=MD5

What is the correct command syntax to disable specific individual ciphers, and/or what would be the command syntax to disable all the weak and medium strength ciphers?

Thank you,
Who is Participating?
ahoffmannConnect With a Mentor Commented:
simple answer: yes
long answer: see below

stolen from openssl's man-page:
       OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer (SSL
       v2/v3) and Transport Layer Security (TLS v1) network protocols and related
       cryptography standards required by them.

       The openssl program is a command line tool for using the various cryptography
       functions of OpenSSL's crypto library from the shell.  It can be used for

        o  Creation of RSA, DH and DSA key parameters
        o  Creation of X.509 certificates, CSRs and CRLs
        o  Calculation of Message Digests
        o  Encryption and Decryption with Ciphers
        o  SSL/TLS Client and Server Tests
        o  Handling of S/MIME signed or encrypted mail

openssl per se do not have ciphers or certificates but knows the algorithms how to create and verify them
i.g. it's the OS' (Linux) or programs (web server, ssh) resposibility to provide certificates, i.e. apache creates it's own certificate using openssl if started with ssl suport but no certificates are found
assuming that it is a apache server define the ciphers you want in the SSLCipherSuite directive in your httpd.conf (or its includes)
jpetterAuthor Commented:
Thanks for the suggestion. The OpenSSL is being used with a web server, but I need to know how to disable them in OpenSSL so they don't appear on the next vulnerability scan.

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

> ... but I need to know how to disable them in OpenSSL ..
openssl is the tool to access your web server as client (just like a browser does),
what openssl reports is the configuration provided by the service listening on the port it connects (most likely 443)
and the service listening there is most likely your web server (I guess apache) and not openssl itself
that's why I suggested to properly configure your apache

if you feel that this suggestion is not accurate for whatever reason, please contact your "scanner" and ask what exactly they tested, please post the command for it and also explain which service/process is responsible for that on your site
jpetterAuthor Commented:
Thanks again for the information. It sounds like I don't know how all the piece parts fit together. If I understand you correctly, the installation of OpenSSL does not install ciphers along with it per se, and the ciphers would be installed by/used by the web server, and openssl is simply a tool to interface with these. Is that correct?
BTW, just to understand how security is sold/paid for:
do I understand correctly that you bought a security check (probably PCI compliance check) and you simply got a automatically generated report without further explanations?
jpetterAuthor Commented:
Thanks very much for the quick response. I did see that initially on the man page, but it didn't click - I was thinking about it the wrong way.
jpetterAuthor Commented:
Very quick response with very good information.
jpetterAuthor Commented:
Basically yes. A vulnerability scan runs against a group of servers, and a report gets sent out that includes the vulnerabilities that need to be cleared. Some of them have recommended fixes. For the SSL Weak Cipher vulnerability, we are provided with the ciphers we are to disable. So we do get a little bit of an explanation. The rest is done with Google, and when that fails, on to EE.

may I ask:
is this a automatic scheduled scan?
you do not get reports reviewed by human auditors?
if so, what're the costs?

and keep in mind: security is a process, not a product
jpetterAuthor Commented:
Some are automated, such as PCI, and some are for security reviews, which are not. If we have issues we can go to the security team for some support, and they do review them when we submit our remediation documentation.
All Courses

From novice to tech pro — start learning today.