SYSTEM INFORMATION | |
---|---|
OS Version | RHEL 7.6 (Maipo) |
Webmin version | 1.991 |
=============================================================
I used a vulnerability scanner and found that miniserv is enumerating ciphers that are undesirabel.
Detection Result
‘Vulnerable’ cipher suites accepted by this service via the TLSv1.2 protocol:
TLS_RSA_WITH_3DES_EDE_CBC_SHA (SWEET32)
And,
etection Result
‘Weak’ cipher suites accepted by this service via the TLSv1.2 protocol:
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_SEED_CBC_SHA
My config in: /etc/webmin/miniserv.conf is:
cipher_list_def=0
ssl_cipher_list=ECDHE-RSA-AES256-SHA384:AES256-SHA256:AES256-SHA256:!RC4:HIGH:+TLSv1:+TLSv1.1:+TLSv1.2:!RC4:!MD5:!ADH:!aNULL:!eNULL:!NULL:!DH:!ADH:!EDH:!AESGCM
Two questions:
- cipher_list_def=0 <<=== does this activate the cipher list in my config and do I need to manually manipulate that or? Should it be set to “1”
- If I only want to support TLS 1.2, should it look like:
ssl_cipher_list=ECDHE-RSA-AES256-SHA384:AES256-SHA256:AES256-SHA256:!RC4:HIGH:+TLSv1:+TLSv1.1:+TLSv1.2:!RC4:!MD5:!ADH:!aNULL:!eNULL:!NULL:!DH:!ADH:!EDH:!AESGCM
I used a reference. https://ssl-config.mozilla.org I did input the apache version I’m running on the same web server and the openssl version my server is running and it enumerated a suggested config that looks like:
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder off
How do I create this in the /etc/webmin/miniserv.conf ?
TIA!