Hi nh905,
Thanks for the update. I think Eric misread my question and I have been ill for 4 weeks so have not replied.
Where you typed in “10” that is not a protocol. The next field down shows the available protocols. You should be using TLSv1.1 or TLSv1.2. If you use Apache they are only available in Apache 2.4 (not 2.2).
I tried the following to generate an elliptical curve algorithm but Webmin would not restart.
openssl ecparam -list_curves
To establish curves available .
openssl ecparam -name secp521r1 -genkey -out private-key.pem
To generate the key
openssl req -new -x509 -key private-key.pem -out server.pem -days 730
To generate the self-signed certificate
cat private-key.pem server.pem > /etc/webmin/miniserv.pem
To place the key and certificate in the pem file.
service webmin restart
to restart webmin
The message I received was-
Failed to open SSL key /etc/webmin/miniserv.pem at /usr/libexec/webmin/miniserv.pl line 4312.
This line reads -
$ssl_ctx, $keyfile,
I also noticed another minerv.pem in this directory.
Completely lost now lol
I generated an RSA SHA512 certificate and Chrome told me the cipher was obsolete (AES_256_CBC for encryption, HMAC_SHA1 for message authentication and RSA as the key exchange mechanism). I am using field ciphers for perfect forwarding secrecy.
After some reading I changed “Force use of server-defined cipher order?” to yes and in cipher list I typed
ALL:!ADH:!RC4:!LOW:!MEDIUM:!SSLv2:!SSLv3:!TLSv1:!EXP:+HIGH
(TLSv1.1 does not have a specific cipher list)
I am now getting AES_128_GCM for encryption and message authentication and RSA as the key exchange mechanism.
After reading some articles from2014 I learned that both AES_128_GCM and AES_256_GCM are unbreakable and preferred over AES_128_GCM. Interestingly Chrome is still saying the ciphers are obsolete.
I am using CentOS 7.1.1503 and my rkhunter scans are telling me apache and openssl versions are out of date. I don’t know if this part of the problem. CentOS are more interested in security and reliability over “cutting edge” from what I have read. From my experience it does seem that certain updates have long delays.
Philip