diff --git a/src/kex.c b/src/kex.c
index 0df4d3eb..b071d5ea 100644
--- a/src/kex.c
+++ b/src/kex.c
@@ -48,7 +48,7 @@
 
 #ifdef WITH_BLOWFISH_CIPHER
 # if defined(HAVE_OPENSSL_BLOWFISH_H) || defined(HAVE_LIBGCRYPT) || defined(HAVE_LIBMBEDCRYPTO)
-#  define BLOWFISH "blowfish-cbc,"
+#  define BLOWFISH ",blowfish-cbc"
 # else
 #  define BLOWFISH ""
 # endif
@@ -58,10 +58,9 @@
 
 #ifdef HAVE_LIBGCRYPT
 # define AES "aes256-gcm@openssh.com,aes128-gcm@openssh.com," \
-             "aes256-ctr,aes192-ctr,aes128-ctr,"
-# define AES_CBC "aes256-cbc,aes192-cbc,aes128-cbc,"
-# define DES "3des-cbc"
-# define DES_SUPPORTED "3des-cbc"
+             "aes256-ctr,aes192-ctr,aes128-ctr"
+# define AES_CBC ",aes256-cbc,aes192-cbc,aes128-cbc"
+# define DES_SUPPORTED ",3des-cbc"
 
 #elif defined(HAVE_LIBMBEDCRYPTO)
 # ifdef MBEDTLS_GCM_C
@@ -69,23 +68,21 @@
 # else
 #  define GCM ""
 # endif /* MBEDTLS_GCM_C */
-# define AES GCM "aes256-ctr,aes192-ctr,aes128-ctr,"
-# define AES_CBC "aes256-cbc,aes192-cbc,aes128-cbc,"
-# define DES "3des-cbc"
-# define DES_SUPPORTED "3des-cbc"
+# define AES GCM "aes256-ctr,aes192-ctr,aes128-ctr"
+# define AES_CBC ",aes256-cbc,aes192-cbc,aes128-cbc"
+# define DES_SUPPORTED ",3des-cbc"
 
 #elif defined(HAVE_LIBCRYPTO)
 # ifdef HAVE_OPENSSL_AES_H
 #  define GCM "aes256-gcm@openssh.com,aes128-gcm@openssh.com,"
-#  define AES GCM "aes256-ctr,aes192-ctr,aes128-ctr,"
-#  define AES_CBC "aes256-cbc,aes192-cbc,aes128-cbc,"
+#  define AES GCM "aes256-ctr,aes192-ctr,aes128-ctr"
+#  define AES_CBC ",aes256-cbc,aes192-cbc,aes128-cbc"
 # else /* HAVE_OPENSSL_AES_H */
 #  define AES ""
 #  define AES_CBC ""
 # endif /* HAVE_OPENSSL_AES_H */
 
-# define DES "3des-cbc"
-# define DES_SUPPORTED "3des-cbc"
+# define DES_SUPPORTED ",3des-cbc"
 #endif /* HAVE_LIBCRYPTO */
 
 #ifdef WITH_ZLIB
diff --git a/tests/unittests/torture_config.c b/tests/unittests/torture_config.c
index ebc2cdbd..83a5f773 100644
--- a/tests/unittests/torture_config.c
+++ b/tests/unittests/torture_config.c
@@ -1431,7 +1431,7 @@ static void torture_config_plus(void **state,
     const char *def_mac = ssh_kex_get_default_methods(SSH_MAC_C_S);
     const char *fips_mac = ssh_kex_get_fips_methods(SSH_MAC_C_S);
     const char *hostkeys_added = ",ssh-rsa";
-    const char *ciphers_added = "aes128-cbc,aes256-cbc";
+    const char *ciphers_added = ",aes128-cbc,aes256-cbc";
     const char *kex_added = ",diffie-hellman-group14-sha1,diffie-hellman-group1-sha1";
     const char *mac_added = ",hmac-sha1,hmac-sha1-etm@openssh.com";
     char *awaited = NULL;
@@ -1558,8 +1558,6 @@ static void torture_config_minus(void **state,
         awaited = calloc(strlen(def_ciphers) + 1, 1);
         rc = snprintf(awaited, strlen(def_ciphers) + 1, "%s", def_ciphers);
         assert_int_equal(rc, strlen(def_ciphers));
-        /* remove the comma at the end of the list */
-        awaited[strlen(awaited) - 1] = '\0';
     }
     /* remove the substring from the defaults */
     helper_remove_substring(awaited, ciphers_removed, 0);
@@ -1676,8 +1674,6 @@ static void torture_config_caret(void **state,
         rc = snprintf(awaited, strlen(ciphers_prio) + strlen(def_ciphers) + 1,
                       "%s%s", ciphers_prio, def_ciphers);
         assert_int_equal(rc, strlen(ciphers_prio) + strlen(def_ciphers));
-        /* remove the comma at the end of the list */
-        awaited[strlen(awaited) - 1] = '\0';
     }
 
     assert_string_equal(session->opts.wanted_methods[SSH_CRYPT_C_S], awaited);