NGINX Reverse Proxy Ciphers

Started by utahbmxer, May 08, 2020, 06:33:33 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 08, 2020, 06:33:33 PM
How can we change the ssl-ciphers that get generated in the nginx.conf file?  I've poked around and don't see any obvious place.  Are these hard coded, do they use the system ones from System: Settings: Administration ??

TIA
May 08, 2020, 08:33:38 PM #1
They are hardcoded to match mostly the Mozilla secure recommendations (I only added camellia as an alternative to AES).
September 02, 2020, 06:16:22 AM #2
Hmm interesting.  Even if I edit the /usr/local/etc/nginx.conf file to remove a few ciphers, they are still present when scanning.  I have a requirement to remove the weak ciphers identified by SSLLabs, strange that this wouldn't be an option within the plugin, as ciphers are cracked frequently, and certified organisations have to update the cipher list within a short time.
September 02, 2020, 06:41:35 AM #3
Looks like the ciphers can be influenced by editing the http.conf / webgui.conf / streams.conf under /usr/local/opnsense/service/templates/OPNsense/Nginx.
September 02, 2020, 08:00:34 PM #4
Can you mention what needs to be removed? I can also copy the Mozilla recommend ciphers again.
September 03, 2020, 04:01:45 AM #5
I removed the following three ciphers which are considered weak by SSLLabs (near the very end of the ciper list):

ECDHE-RSA-AES256-SHA384
ECDHE-RSA-CAMELLIA256-SHA384
ECDHE-RSA-AES128-SHA256

(effectively due to RSA being involved I guess).

A lookup table between openssl and IANA ciphers:
https://testssl.sh/openssl-iana.mapping.html
September 21, 2020, 09:54:03 AM #6
My colleage @seandmccarthy has submitted a patch against 20.7 to provide a similar cipher list drop down menu as to the web configuration settings.

Take a look at patch:
https://github.com/opnsense/plugins/commit/a694ac4cb65481df9abf7138c0eb7693a9e36d11

Print
Go Up Pages1
User actions