SSL_CTX_set_cipher_list() does not have affect

Question

I'm using OpenSSL for my server developed in C.

OpenSSL is called in my source code in the following way:

SSL_CTX* InitServerCTX(void)
{
    SSL_METHOD *method;
    SSL_CTX *ctx;

    OpenSSL_add_all_algorithms();  /* load & register all cryptos, etc. */
    SSL_load_error_strings();   /* load all error messages */
    method = TLSv1_2_server_method();  /* create new server-method instance */
    ctx = SSL_CTX_new(method);   /* create new context from method */
    if ( ctx == NULL )
    {
        ERR_print_errors_fp(stderr);
        abort();
    }
    return ctx;
}

int main(int count, char *Argc[])
{   
    SSL_CTX *ctx;
    int server;
    char *portnum;

    // Initialize the SSL library
    SSL_library_init();
    ctx = InitServerCTX();        /* initialize SSL */
    ...
}

I tested my server with ssllabs.com. and I got weaks in the supported ciphers on my server.

I tried to add the following line after initiating context

SSL_CTX_set_cipher_list(ctx, "ALL:!NULL-MD5:!NULL-SHA:!NULL-RSA");

But nothing change!

How to disable these weak ciphers in my server?

Answer 1

 SSL_CTX_set_cipher_list(ctx, "ALL:!NULL-MD5:!NULL-SHA:!NULL-RSA");

This cipher setting does nothing to disable typical weak ciphers. In contrary: this enables practically all ciphers (due to ALL) including many weak ciphers and only disables a very few NULL ciphers.

At the very least you should use HIGH and not ALL. Even better recommendations can be found at the Mozilla server configuration.