ConfigServer Community Forum

Peer support forums for ConfigServer Scripts
https://mail.forum.configserver.com/

SSL cipher list for UI not being obeyed?

https://mail.forum.configserver.com/viewtopic.php?t=6856

Page 1 of 1

SSL cipher list for UI not being obeyed?

Posted: 07 Aug 2013, 15:02
by aww+
I have a specific cipher list for the built-in UI and I just noticed it's not being obeyed?

Perhaps it's not enforcing server-side cipher order?
Or maybe it's a limitation of the perl ssl libraries?

I cannot seem to find newer libraries for centos and I'd rather not install them outside of rpm management

Code: Select all

 perl-IO-Socket-SSL               noarch               1.31-2.el6                  base                    
 perl-Net-SSLeay                   x86_64               1.35-9.el6                  base
CSF doesn't have settings for ssl-protocols and prefer-server-ciphers?
Is it possible to support such settings via the perl libraries without too much difficulty?

ie.
UI_SERVER_CIPHERS="1"
UI_PROTOCOLS="TLSv1 TLSv1.1 TLSv1.2"

Server cipher order probably shouldn't even be an option, it should be default. Protocols would be nice if possible.

Re: SSL cipher list for UI not being obeyed?

Posted: 08 Aug 2013, 15:18
by ForumAdmin
IO::Socket::SSL, by default, allows the end-user to select which cipher they want to use from one of those offered. To enforce the cipher order by the server SSL_honor_cipher_order has to be set. We'll look at setting that by default in the next release.

Re: SSL cipher list for UI not being obeyed?

Posted: 09 Aug 2013, 13:00
by aww+
Thanks for adding this in the new CSF.

The bad news is people need io-socket-ssl 1.67 or newer to use it
The CentOS rpms for yum are very outdated. Some respository really would do CentOS users a favor by making newer libraries available for perl-IO-Socket-SSL and perl-Net-SSLeay

https://raw.github.com/noxxi/p5-io-sock ... er/Changes

Code: Select all

v1.67 2012.05.07
  - new config key SSL_honor_cipher_order and documented how to use it to fight BEAST attack.
Please also add sometime in the future the config setting for `SSL_version` so TLS can be forced?
Should not be set by default. TLS is required for perfect forward secrecy.

Code: Select all

SSL_version
    Sets the version of the SSL protocol used to transmit data. 'SSLv23' auto-negotiates between SSLv2 and SSLv3, while 'SSLv2', 'SSLv3' or 'TLSv1' restrict the protocol to the specified version. All values are case-insensitive.

    You can limit to set of supported protocols by adding !version separated by ':'.

    The default SSL_version is 'SSLv23:!SSLv2' which means, that SSLv2, SSLv3 and TLSv1 are supported for initial protocol handshakes, but SSLv2 will not be accepted, leaving only SSLv3 and TLSv1. You can also use !TLSv11 and !TLSv12 to disable TLS versions 1.1 and 1.2 while allowing TLS version 1.0.
My outdated libraries are allowing me to force TLS but I cannot force cipher order :-(

Will have to see if I can compile a newer io-socket-ssl

Re: SSL cipher list for UI not being obeyed?

Posted: 16 Aug 2013, 10:34
by ForumAdmin
This has been implemented in csf v6.31:
http://blog.configserver.com/?p=1978
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited