Virtual Router/ Firewall/ VPN

Frequent Visitor
Posts: 1
Registered: ‎07-01-2016

6.7R10 cipher list for https

[ Edited ]

I'm trying to modify the lighttpd cipher list.   I need to remove the DES-CBC-SHA ciphers.  After many hours of trying I find that any cipher list that allows the service to start effectively gives the same cipher availibilities.   


For instance if I list ciphers that do are not accepted, restart https reports network.c.721 ssl error SSL_CTX_set_cipher_list no cipher match.


But if I use *one* that works: like DHC-RSA-AES256-SHA or ECDHE-FSA-AES256-SHA then my test connection works: 

openssl s_client -cipher DES-CBC-SHA -connect IP : PORT



Has anyone had any success in this area ?  Updating lighttpd? updating openssl?



Posts: 1
Registered: ‎07-22-2016

Re: 6.7R10 cipher list for https

Answering my own question. 


The /etc/lighttpd/conf-enabled/10-ssl.conf  is not exactly correct.  When you bind https to a specific address, the cipher-list is not being used from the master cipher-list.  You can easily copy the ssl.cipher-list into the stanza for the IP address or patch the   to include the cipher-list within the address list


My patch:

--- /opt/vyatta/sbin/	2016-01-08 14:56:13.000000000 -0600
+++	2016-07-22 13:10:03.247288711 -0500
@@ -46,6 +46,7 @@
 		print $fp "                  ssl.engine                  = \"enable\"\n";
 		print $fp "                  ssl.pemfile                 = \"/etc/lighttpd/server.pem\"\n";
+                print $fp "                  ssl.cipher-list             = \"TLSv1+HIGH !SSLv2 !aNULL !eNULL !EXPORT !DES !MD5 !PSK !RC4 \@STRENGTH\"\n";
 		print $fp "}\n";
 		if (defined($http_redir) && $http_redir eq "enable"){
 			if ($addr =~ /:/) {

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.