Virtual Router/ Firewall/ VPN

Reply
Frequent Visitor
Posts: 1
Registered: ‎07-01-2016

6.7R10 cipher list for https

[ Edited ]

I'm trying to modify the lighttpd cipher list.   I need to remove the DES-CBC-SHA ciphers.  After many hours of trying I find that any cipher list that allows the service to start effectively gives the same cipher availibilities.   

 

For instance if I list ciphers that do are not accepted, restart https reports network.c.721 ssl error SSL_CTX_set_cipher_list no cipher match.

 

But if I use *one* that works: like DHC-RSA-AES256-SHA or ECDHE-FSA-AES256-SHA then my test connection works: 

openssl s_client -cipher DES-CBC-SHA -connect IP : PORT

 

 

Has anyone had any success in this area ?  Updating lighttpd? updating openssl?

 

Thanks! 

Member
Posts: 1
Registered: ‎07-22-2016

Re: 6.7R10 cipher list for https

Answering my own question. 

 

The /etc/lighttpd/conf-enabled/10-ssl.conf  is not exactly correct.  When you bind https to a specific address, the cipher-list is not being used from the master cipher-list.  You can easily copy the ssl.cipher-list into the stanza for the IP address or patch the vyatta-update-webgui-listen-addr.pl   to include the cipher-list within the address list

 

My patch:

--- /opt/vyatta/sbin/vyatta-update-webgui-listen-addr.pl	2016-01-08 14:56:13.000000000 -0600
+++ vyatta-update-webgui-listen-addr.pl	2016-07-22 13:10:03.247288711 -0500
@@ -46,6 +46,7 @@
 		}
 		print $fp "                  ssl.engine                  = \"enable\"\n";
 		print $fp "                  ssl.pemfile                 = \"/etc/lighttpd/server.pem\"\n";
+                print $fp "                  ssl.cipher-list             = \"TLSv1+HIGH !SSLv2 !aNULL !eNULL !EXPORT !DES !MD5 !PSK !RC4 \@STRENGTH\"\n";
 		print $fp "}\n";
 		if (defined($http_redir) && $http_redir eq "enable"){
 			if ($addr =~ /:/) {

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.

Click to Register
Download FREE NVMe eBook