TLS/Cyphers question

Support
1

Hi all,

SSL labs gives me an A which is good, but there are weak cyphers still lingering in Nethserver…

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH secp256r1 (eq. 3072 bits RSA) FS 256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK 256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH secp256r1 (eq. 3072 bits RSA) FS 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK 128
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) DH 2048 bits FS 256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) DH 2048 bits FS WEAK 256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) DH 2048 bits FS 128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67) DH 2048 bits FS WEAK 128
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) WEAK 256
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) WEAK 256
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) WEAK 128
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) WEAK 128

Is there a way to get rid of the weak cyphers?
Thanks in advance

GB

2

It should be possible to define the ciphers in /etc/httpd/conf.d/nethserver.conf, you may need a custom template.

1 Like
3

Thanks for the reply…I’d need a bit of help here, please as I don’t want to mess things up…
thanks
GB

4

The following customization overrides the TLS policy setting for httpd.

Create the directory for the custom template fragment:

mkdir -p /etc/e-smith/templates-custom/etc/httpd/conf.d/nethserver.conf/

Create the fragment file /etc/e-smith/templates-custom/etc/httpd/conf.d/nethserver.conf/11tls_policy_custom with following content:

# custom cipher selection
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

SSLCipherSuite ALL:!RSA:!CAMELLIA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SHA1:!SHA256:!SHA384

SSLHonorCipherOrder on
SSLCompression Off

Apply the configuration:

signal-event nethserver-httpd-update

1 Like
5

Thanks for the help, I’d have messed up on my own… Appreciate the assistance and your time…

2 Likes