-
Title
How to disable weak ciphers on the webUI -
Description
From PSM version 5F3 by default the webUI only uses strong ciphers (TLS 1.2) and it is possible to allow the usage of TLS 1.1.
In 5LTS versions this is not implemented.
-
Cause
It is possible to patch the config however to force the usage of TLS 1.2 alone but this will make the core firmware tainted. -
Resolution
Step-by-step guide
- Upload the patch to the appliance via SCP to /mnt/firmware/root directory. Example:
scp patch-lighttpd-cipher.sh root@PSM_IP_ADDR:/mnt/firmware/root - Log in to core shell and issue the following commands:
cd /root; chmod u+x patch-lighttpd-cipher.sh./patch-lighttpd-cipher.shmakeworld -asystemctl restart lighttpd.service
Expected cipher list:
$ sslscan lcsscb5lts | grep -e Preferred -e Accepted
Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve P-256 DHE 256
Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve P-256 DHE 256
Accepted TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384 DHE 2048 bits
Accepted TLSv1.2 128 bits DHE-RSA-AES128-GCM-SHA256 DHE 2048 bitsExpected tainted file list:
(boot/master/lcsscb5lts)root@scb1:~# xcbclient self xcb_check_core_files
/mnt/drbd/private/root/usr/lib/python3/dist-packages/scb/local_services/http/templates/lighttpdconfig.tpl
/mnt/drbd/private/root/etc/lighttpd/lighttpd.conf - Upload the patch to the appliance via SCP to /mnt/firmware/root directory. Example:
-
Attachments