I have read many articles that officially explain how to prevent OpenSSL Padding Oracles. They usually indicate that its CBC encryption suites leave you vulnerable.
The following list works for me and allows me to get an A on SSLLabs.
SSLProtocol -all + TLSv1.2 SSLHonorCipherOrder On SSLCipherSuite ECDH + AESGCM: DH + AESGCM: RSA + AESGCM :! Anüll :! MD5 :! DSS :! DOW :! MEDIUM
My problem is that I can not add any more without getting an F and being open to the Oracle Padding in question.
If I then compare that to the results of a security website, such as http://binance.com. They receive A + AND they have CBC figures present.
My question then, how can I protect myself against Oracle OpenSSL Padding (CVE-2016-2107), while allowing more ciphers? Is there more configuration I can do elsewhere to protect, while allowing a wider range of ciphers (LOW or not)? I also see that TLSv1.0 and TLSv1.1 can also be enabled with a limited number of ciphers. ****
My reasoning is that my current list prevents Safari 6-8, Android 2-4 and Windows 7 IE 8-10. I would like to open this.