Blacklist Ciphersuites?

I know we can specify cipher suites like this but is there a way to blacklist certain ciphers as well?


I don't think that's possible, nor should it be necessary. A whitelist is the safer way. The list of safe ciphers is shorter than the blacklist would be anyway.

Instead enable the recommended setting [preferServerCipherSuites]( and list the suites you want to allow. Due to preferServerCipherSuites the client won't be allowed to choose any other than you listed.

You can use Mozilla's config generator to create the list of recommended ciphers. See Mozilla SSL Configuration Generator

1 Like