monkey icon indicating copy to clipboard operation
monkey copied to clipboard
verified publisher icon monkey

Question: How to set SSL cipher options

Open J-Siu opened this issue 10 years ago • 3 comments

For example, in Apache or Lighttpd, one can disable sslv2, sslv3, tls1, tls1.1 individually. Also specify the cipher list available. How can those be done with Monkey?

J-Siu avatar Dec 11 '15 18:12 J-Siu

Monkey don't provide a mechanism to enable/disable specific ciphers. The SSL/TLS backend is provided by mbedTLS which expose the following:

https://tls.mbed.org/supported-ssl-ciphersuites

Anyways I think would be interesting to add that option. What are the specific ciphers that you want to blacklist ?

edsiper avatar Dec 11 '15 18:12 edsiper

I am currently using the following settings in my lighttpd:

    ssl.honor-cipher-order = "enable"
    ssl.cipher-list = "AES256+EECDH"
    ssl.ec-curve = "secp384r1"
    ssl.use-sslv2 = "disable"
    ssl.use-sslv3 = "disable"

Lighttpd doesn't allow disable of individual tls version, while Apache can.

J-Siu avatar Dec 11 '15 18:12 J-Siu

Thanks. I opened an issue with the mbedTLS team to check if they expose that feature:

https://github.com/ARMmbed/mbedtls/issues/371

If they do, that can be added. Otherwise we will have ti provide the option at compile time.

edsiper avatar Dec 11 '15 18:12 edsiper