NGINX Reverse Proxy Ciphers

[utahbmxer]

How can we change the ssl-ciphers that get generated in the nginx.conf file?  I've poked around and don't see any obvious place.  Are these hard coded, do they use the system ones from System: Settings: Administration ??

TIA

[fabian]

They are hardcoded to match mostly the Mozilla secure recommendations (I only added camellia as an alternative to AES).

[astuckey]

Hmm interesting.  Even if I edit the /usr/local/etc/nginx.conf file to remove a few ciphers, they are still present when scanning.  I have a requirement to remove the weak ciphers identified by SSLLabs, strange that this wouldn't be an option within the plugin, as ciphers are cracked frequently, and certified organisations have to update the cipher list within a short time.

[astuckey]

Looks like the ciphers can be influenced by editing the http.conf / webgui.conf / streams.conf under /usr/local/opnsense/service/templates/OPNsense/Nginx.

[fabian]

Can you mention what needs to be removed? I can also copy the Mozilla recommend ciphers again.

[astuckey]

I removed the following three ciphers which are considered weak by SSLLabs (near the very end of the ciper list):

ECDHE-RSA-AES256-SHA384
ECDHE-RSA-CAMELLIA256-SHA384
ECDHE-RSA-AES128-SHA256

(effectively due to RSA being involved I guess).

 A lookup table between openssl and IANA ciphers:
https://testssl.sh/openssl-iana.mapping.html

[astuckey]

My colleage @seandmccarthy has submitted a patch against 20.7 to provide a similar cipher list drop down menu as to the web configuration settings.

Take a look at patch:
https://github.com/opnsense/plugins/commit/a694ac4cb65481df9abf7138c0eb7693a9e36d11