-
Title
Modify cipher list of lighttpd web interface -
Description
Modify cipher list of lighttpd web interface -
Resolution
WORKAROUND
1. Modify the /opt/ssb/share/templates/config/lighttpd.tpl file on the core shell.
2. Append cipher requirements to be blocked to the end of the string in the ssl.cipher-list:e.g ssl.cipher-list = "{originalstring}!blockedcipher1:!blockedcipher2"
e.g ssl.cipher-list = "{{$cipher_suites[$cipher_suite]}}!DHE-RSA-AES128-SHA:!DHE-RSA-AES256-SHA:!AES128-SHA:!AES256-SHA:!AES128-SHA256:!AES256-SHA256:!AES128-GCM-SHA256:!AES256-GCM-SHA384:!ECDHE-RSA-AES128-SHA:!ECDHE-RSA-AES256-SHA:!ECDHE-RSA-AES128-SHA256:!ECDHE-RSA-AES256-SHA384:!DHE-RSA-AES128-SHA256:!DHE-RSA-AES256-SHA256"
The ! is used to define cipher not allowed for connection.
To apply the changes immediately, execute the following commands:3. /opt/ssb/bin/makeworld.php --all
There should not be any errors after running this command.
4. systemctl restart lighttpdThere should not be any errors after running this command.To avoid any impact to users, verify these changes in a lab environment before making changes in a production setup. Please note that these changes will cause tainted firmware and affect the upgrading so it is necessary to redo the cipher list customization again after upgrading. For more information review KB 259243.