When using `openssl ciphers`, permanently disabling all ciphers one by one makes the last cipher impossible to disable:
$ openssl ciphers 'ALL:COMPLEMENTOFALL:!ECDHE-RSA-AES256-GCM-SHA384:!ECDHE-ECDSA-AES256-GCM-SHA384:!ECDHE-RSA-AES256-SHA384:!ECDHE-ECDSA-AES256-SHA384:!ECDHE-RSA-AES256-SHA:!ECDHE-ECDSA-AES256-SHA:!SRP-DSS-AES-256-CBC-SHA:!SRP-RSA-AES-256-CBC-SHA:!DH-DSS-AES256-GCM-SHA384:!DHE-DSS-AES256-GCM-SHA384:!DH-RSA-AES256-GCM-SHA384:!DHE-RSA-AES256-GCM-SHA384:!DHE-RSA-AES256-SHA256:!DHE-DSS-AES256-SHA256:!DH-RSA-AES256-SHA256:!DH-DSS-AES256-SHA256:!DHE-RSA-AES256-SHA:!DHE-DSS-AES256-SHA:!DH-RSA-AES256-SHA:!DH-DSS-AES256-SHA:!DHE-RSA-CAMELLIA256-SHA:!DHE-DSS-CAMELLIA256-SHA:!DH-RSA-CAMELLIA256-SHA:!DH-DSS-CAMELLIA256-SHA:!AECDH-AES256-SHA:!SRP-AES-256-CBC-SHA:!ADH-AES256-GCM-SHA384:!ADH-AES256-SHA256:!ADH-AES256-SHA:!ADH-CAMELLIA256-SHA:!ECDH-RSA-AES256-GCM-SHA384:!ECDH-ECDSA-AES256-GCM-SHA384:!ECDH-RSA-AES256-SHA384:!ECDH-ECDSA-AES256-SHA384:!ECDH-RSA-AES256-SHA:!ECDH-ECDSA-AES256-SHA:!AES256-GCM-SHA384:!AES256-SHA256:!AES256-SHA:!CAMELLIA256-SHA:!PSK-AES256-CBC-SHA:!ECDHE-RSA-DES-CBC3-SHA:!E CDHE-ECDSA-DES-CBC3-SHA:!SRP-DSS-3DES-EDE-CBC-SHA:!SRP-RSA-3DES-EDE-CBC-SHA:!EDH-RSA-DES-CBC3-SHA:!EDH-DSS-DES-CBC3-SHA:!DH-RSA-DES-CBC3-SHA:!DH-DSS-DES-CBC3-SHA:!AECDH-DES-CBC3-SHA:!SRP-3DES-EDE-CBC-SHA:!ADH-DES-CBC3-SHA:!ECDH-RSA-DES-CBC3-SHA:!ECDH-ECDSA-DES-CBC3-SHA:!DES-CBC3-SHA:!DES-CBC3-MD5:!PSK-3DES-EDE-CBC-SHA:!ECDHE-RSA-AES128-GCM-SHA256:!ECDHE-ECDSA-AES128-GCM-SHA256:!ECDHE-RSA-AES128-SHA256:!ECDHE-ECDSA-AES128-SHA256:!ECDHE-RSA-AES128-SHA:!ECDHE-ECDSA-AES128-SHA:!SRP-DSS-AES-128-CBC-SHA:!SRP-RSA-AES-128-CBC-SHA:!DH-DSS-AES128-GCM-SHA256:!DHE-DSS-AES128-GCM-SHA256:!DH-RSA-AES128-GCM-SHA256:!DHE-RSA-AES128-GCM-SHA256:!DHE-RSA-AES128-SHA256:!DHE-DSS-AES128-SHA256:!DH-RSA-AES128-SHA256:!DH-DSS-AES128-SHA256:!DHE-RSA-AES128-SHA:!DHE-DSS-AES128-SHA:!DH-RSA-AES128-SHA:!DH-DSS-AES128-SHA:!DHE-RSA-SEED-SHA:!DHE-DSS-SEED-SHA:!DH-RSA-SEED-SHA:!DH-DSS-SEED-SHA:!DHE-RSA-CAMELLIA128-SHA:!DHE-DSS-CAMELLIA128-SHA:!DH-RSA-CAMELLIA128-SHA:!DH-DSS-CAMELLIA128-SHA:!AECDH-AES128-SHA:!SRP-AES- 128-CBC-SHA:!ADH-AES128-GCM-SHA256:!ADH-AES128-SHA256:!ADH-AES128-SHA:!ADH-SEED-SHA:!ADH-CAMELLIA128-SHA:!ECDH-RSA-AES128-GCM-SHA256:!ECDH-ECDSA-AES128-GCM-SHA256:!ECDH-RSA-AES128-SHA256:!ECDH-ECDSA-AES128-SHA256:!ECDH-RSA-AES128-SHA:!ECDH-ECDSA-AES128-SHA:!AES128-GCM-SHA256:!AES128-SHA256:!AES128-SHA:!SEED-SHA:!CAMELLIA128-SHA:!IDEA-CBC-SHA:!IDEA-CBC-MD5:!RC2-CBC-MD5:!PSK-AES128-CBC-SHA:!ECDHE-RSA-RC4-SHA:!ECDHE-ECDSA-RC4-SHA:!AECDH-RC4-SHA:!ADH-RC4-MD5:!ECDH-RSA-RC4-SHA:!ECDH-ECDSA-RC4-SHA:!RC4-SHA:!RC4-MD5:!RC4-MD5:!PSK-RC4-SHA:!EDH-RSA-DES-CBC-SHA:!EDH-DSS-DES-CBC-SHA:!DH-RSA-DES-CBC-SHA:!DH-DSS-DES-CBC-SHA:!ADH-DES-CBC-SHA:!DES-CBC-SHA:!DES-CBC-MD5:!EXP-EDH-RSA-DES-CBC-SHA:!EXP-EDH-DSS-DES-CBC-SHA:!EXP-DH-RSA-DES-CBC-SHA:!EXP-DH-DSS-DES-CBC-SHA:!EXP-ADH-DES-CBC-SHA:!EXP-DES-CBC-SHA:!EXP-RC2-CBC-MD5:!EXP-RC2-CBC-MD5:!EXP-ADH-RC4-MD5:!EXP-RC4-MD5:!EXP-RC4-MD5:!ECDHE-RSA-NULL-SHA:!ECDHE-ECDSA-NULL-SHA:!AECDH-NULL-SHA:!ECDH-RSA-NULL-SHA:!ECDH-ECDSA-NULL-SHA:!NULL-SHA256:!NULL-SHA:! NULL-MD5' NULL-MD5 In my installation (OpenSSL 1.0.1e), this should disable all ciphers, but NULL-MD5 is left even though it is explicitly permanently deleted. This happens because ssl_cipher_apply_rule() works incorrectly when the list passed in has only one item: the for-loop on ssl_ciph.c:964 checks whether "curr == last", but it doesn't take into account the situation when tail == head. Attached patch fixes this issue and it additionally renames 'curr2' to a more descriptive name.
fix_single_ciphers.patch
Description: Binary data
signature.asc
Description: PGP signature
