Custom SSL Cipher Suites

Hello

It would be nice if we would be able to set the ssl cipher suites for the webgui.
With the default Installation the following cipher suites are vulnerable to “Sweet32”:
EDH-RSA-DES-CBC3-SHA Kx=DH Au=RSA Enc=3DES-CBC(168) Mac=SHA1
ECDHE-RSA-DES-CBC3-SHA Kx=ECDH Au=RSA Enc=3DES-CBC(168) Mac=SHA1
DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES-CBC(168) Mac=SHA1

https://sweet32.info/

I’d like to disable them. Is there an “official” way of doing so? If not, a custom configuration option for nginx in the services tab (like you did with samba) would be nice.

Thank you

No official way exists, however if you don’t mind something a little hacky for the time being, have a look at my topic Using nginx/pi-hole to reverse proxy (the dodgy way)

Specifically, referring the code for /root/scripts/nginx-proxy.sh, which allows you to inject a custom config into Rockstor’s own nginx, included in the ‘http’ section.
You should then be able to specify your own cipher suite list using the following statements:

  • ssl_prefer_server_ciphers
  • ssl_protocols
  • ssl_ciphers

Cheers,

Hayden.

1 Like