HindrikOxilion
Verified User
- Joined
- Sep 23, 2011
- Messages
- 33
Hello all,
We're trying to improve the SSL Cipherlist that's used for the DA service itself. According to the known docs, this should be controlled by the DirectAdmin conf setting "ssl_cipher": https://docs.directadmin.com/directadmin/general-usage/all-directadmin-conf-values.html#ssl-cipher
The option seems to be applied in the active config, since the desired ciphers are present when querying DirectAdmin's config via "directadmin c":
The goal is to remove (3)DES ciphers from the list. However, after some testing, it appears that this setting is completely ignored by the running service. We use nmap with the ssl-enum-ciphers script to test the presented ciphers, like so:
Which results in:
We use this on CloudLinux 6 and 7 hosts (the CL6 hosts are still supported and maintained by CloudLinux). CL6 hosts use openssl 1.0.1.e, and CL7 hosts use openssl 1.0.2.k, both types display this same behaviour (not respecting the ssl_ciphers setting)...
Has anyone else run into this issue, and is there a fix to really disable the weak 3DES ciphers in DA?
With kind regards,
Hindrik Deelstra
We're trying to improve the SSL Cipherlist that's used for the DA service itself. According to the known docs, this should be controlled by the DirectAdmin conf setting "ssl_cipher": https://docs.directadmin.com/directadmin/general-usage/all-directadmin-conf-values.html#ssl-cipher
The option seems to be applied in the active config, since the desired ciphers are present when querying DirectAdmin's config via "directadmin c":
Bash:
# /usr/local/directadmin/directadmin c | grep ssl_cipher
ssl_cipher=HIGH:!aNULL:!MD5:!3DES
The goal is to remove (3)DES ciphers from the list. However, after some testing, it appears that this setting is completely ignored by the running service. We use nmap with the ssl-enum-ciphers script to test the presented ciphers, like so:
Bash:
nmap --script ssl-enum-ciphers <hostname> -p 2222
Which results in:
PORT STATE SERVICE
2222/tcp open EtherNetIP-1
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| compressors:
| NULL
| cipher preference: client
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
We use this on CloudLinux 6 and 7 hosts (the CL6 hosts are still supported and maintained by CloudLinux). CL6 hosts use openssl 1.0.1.e, and CL7 hosts use openssl 1.0.2.k, both types display this same behaviour (not respecting the ssl_ciphers setting)...
Has anyone else run into this issue, and is there a fix to really disable the weak 3DES ciphers in DA?
With kind regards,
Hindrik Deelstra