How to disable Weak Cipher
-
How can I disable the cipher "DES-CBC-SHA"? It is a 56 bit DES Key. I've verified this with openssl and it is considered "weak".
Thanks,
-
Disable from where? OpenVPN? IPsec?
Both of those places use the cipher(s) you explicitly choose, it wouldn't be automatically selected.
-
The ssl login to the webconfigurator. A change to lighttpd should do the trick.
-
What are you trying that shows that cipher is even being used?
When I connect, the browser reports it is using Camellia-256.
-
openssl. from freebsd command line:
openssl s_client -connect "x.x.x.x:443 -cipher LOWYou have to "force" the LOW cipher.
-
So if you have to force it I'm not sure I see the problem. :-)
I presume you're talking about this lighttpd modification?
http://linuxadminzone.com/disable-weak-ssl-ciphers-in-lighttpd-in-linux/
It might be worth opening a feature request ticket in redmine to make that change if it's really needed.
-
So if you have to force it I'm not sure I see the problem. :-)
The issue is that if someone has their browser set to use the low cipher it could be intercepted and cracked because of the weak cipher strength. I haven't read that specific article but yes, that is exactly what I'm talking about. I'm sure you've come across the SSLv2 issues and the fact that they are weak ciphers and should not be used. Same for this specific cipher, it should not be enabled.
There are also a few other minor issues that only an enterprise would likely care about.. Like the fact the HttpOnly cookie is not set, the secure attribute for cookies is not set, and autocomplete is enabled. Again, minor but someone at some point may care (client?).
-
We had autocomplete disabled for the longest time but convenience and user pressure led us to re-enable it. It could be made an option, though.
Not sure about the cookie settings, someone else may have to comment on those.
-
These changes have been committed.
-
That's great. Thanks guys!