Custom SSL Cipher Suites

andrin · June 19, 2017, 7:31pm

Hello

It would be nice if we would be able to set the ssl cipher suites for the webgui.
With the default Installation the following cipher suites are vulnerable to “Sweet32”:
EDH-RSA-DES-CBC3-SHA Kx=DH Au=RSA Enc=3DES-CBC(168) Mac=SHA1
ECDHE-RSA-DES-CBC3-SHA Kx=ECDH Au=RSA Enc=3DES-CBC(168) Mac=SHA1
DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES-CBC(168) Mac=SHA1

https://sweet32.info/

I’d like to disable them. Is there an “official” way of doing so? If not, a custom configuration option for nginx in the services tab (like you did with samba) would be nice.

Thank you

Haioken · November 17, 2017, 12:39am

No official way exists, however if you don’t mind something a little hacky for the time being, have a look at my topic Using nginx/pi-hole to reverse proxy (the dodgy way)

Specifically, referring the code for /root/scripts/nginx-proxy.sh, which allows you to inject a custom config into Rockstor’s own nginx, included in the ‘http’ section.
You should then be able to specify your own cipher suite list using the following statements:

ssl_prefer_server_ciphers
ssl_protocols
ssl_ciphers

Cheers,

Hayden.