I have a HTTP process running on solaris, recently we were asked to remove 3DES from the cipher suite. We need to apply something like this is the cipher suite config, SSLCipherSuite HIGH:!aNULL:!eNULL:!PSK:!RC4:!MD5:!3DES But there is an Oracle documentation here - https://docs.oracle.com/middleware/12213/webtier/administer-ohs/GUID-C76BCA2A-9C28-4D16-9758-9346FBCF7512.htm#HSADM1016 which says
Blockquote- : Removes the cipher from the list (can be added later) ! : Removes the cipher from the list permanently
So my question is if we apply !3DES and the change doesnot work will we be able to use it again on the same cipher suite config by just removing !3DES? The reason for the confusion is that oracle says that applying !3DES removes the cipher from the list permanently. In other words, is applying a !3DES an irreversible change? NOTE - We only have access to the HTTP and SLL conf files where the cipher suite changes can be made by us
The relevant documentation is the documentation of ciphers in OpenSSL. To cite:
If ! is used then the ciphers are permanently deleted from the list. The ciphers deleted can never reappear in the list even if they are explicitly stated.
If - is used then the ciphers are deleted from the list, but some or all of the ciphers can be added again by later options.
Thus, both options delete the given cipher from the list. But only ! is permant.
To understand take HIGH !3DES kRSA vs HIGH -3DES !kRSA. In the first case no 3DES ciphers are enabled. In the second case 3DES ciphers which use RSA key exchange are enabled, since these were added by a later kRSA.
In other words: to be sure that these ciphers are not used in any case better use !.