Miniserv cipher li

Chris_Boley · August 10, 2022, 4:47pm

SYSTEM INFORMATION
OS Version	RHEL 7.6 (Maipo)
Webmin version	1.991

=============================================================
I used a vulnerability scanner and found that miniserv is enumerating ciphers that are undesirabel.
Detection Result
‘Vulnerable’ cipher suites accepted by this service via the TLSv1.2 protocol:
TLS_RSA_WITH_3DES_EDE_CBC_SHA (SWEET32)
And,
etection Result
‘Weak’ cipher suites accepted by this service via the TLSv1.2 protocol:
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_SEED_CBC_SHA
My config in: /etc/webmin/miniserv.conf is:
cipher_list_def=0
ssl_cipher_list=ECDHE-RSA-AES256-SHA384:AES256-SHA256:AES256-SHA256:!RC4:HIGH:+TLSv1:+TLSv1.1:+TLSv1.2:!RC4:!MD5:!ADH:!aNULL:!eNULL:!NULL:!DH:!ADH:!EDH:!AESGCM

Two questions:

cipher_list_def=0 <<=== does this activate the cipher list in my config and do I need to manually manipulate that or? Should it be set to “1”
If I only want to support TLS 1.2, should it look like:
ssl_cipher_list=ECDHE-RSA-AES256-SHA384:AES256-SHA256:AES256-SHA256:!RC4:HIGH:+TLSv1:+TLSv1.1:+TLSv1.2:!RC4:!MD5:!ADH:!aNULL:!eNULL:!NULL:!DH:!ADH:!EDH:!AESGCM

I used a reference. https://ssl-config.mozilla.org I did input the apache version I’m running on the same web server and the openssl version my server is running and it enumerated a suggested config that looks like:

SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder     off

How do I create this in the /etc/webmin/miniserv.conf ?

TIA!

Chris_Boley · August 12, 2022, 6:41pm

I learned that there’s a package necessary in RHEL called perl-IO-Socket-SSL necessary to correctly handle ECDHE ciphers (RHEL Buglist [Bug 1044401]). I wondered if that possibly could have contributed to why it was failing when I was trying to describe specific ECDHE ciphers in my cipher list.

This made me realize the the Perl modules dealing with SSL don’t very well implement some of the newer OPENSSL cipher suites. I reverted to what I was seeing in my scans:
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384

Then I reset my cipher string in Webmin config to read only:
AES256-GCM-SHA384:AES128-GCM-SHA256:!RC4:-TLSv1:-TLSv1.1:+TLSv1.2:!RC4:!MD5:!ADH:!aNULL:!eNULL:!NULL:!DH:!ADH:!EDH

After a re-scan:
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384

These are indeed the only cipher suites being enumerated by the scanner now.
I can be OK with the GCM based ciphers but didn’t want the cipher block chaining suites being offered. There are known vulnerabilities in those.
So the moral of this story is that perl-IO-Socket-SSL and perl-Net-SSLeay play a huge role in what SSL ciphers will be usable by the miniserv webserver even if your installed openssl supports better ciphers in apache, nginx, etc…

system · October 11, 2022, 6:42pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.