SSL / TLS Cipher suites outdated

General Help
1

Current Version - 12.0.76.4 (I know its old, an upgrade to 13 is planned!)

Looks like a recent, over the weekend, update to Firefox is now blocking access to my PBX via HTTPS, Windows and MAC’s… The error code returned is “Error code: SSL_ERROR_NO_CYPHER_OVERLAP” and my Google searches have not provided much on a fix other than to possibly remove some old ciphers from the Apache server.

Question: Which file should we edit to manually update SSL/TLS Ciphers in this version of FreePBX?

Here is what I get returned with an openssl query -

Server Temp Key: DH, 1024 bits

SSL handshake has read 2484 bytes and written 483 bytes

New, TLSv1/SSLv3, Cipher is DHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : DHE-RSA-AES128-GCM-SHA256

NAMP scan shows this -
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A
| compressors:
| NULL
| cipher preference: indeterminate
| cipher preference error: Too few ciphers supported
| warnings:
| Key exchange (dh 1024) of lower strength than certificate key
| TLSv1.1:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A
| compressors:
| NULL
| cipher preference: indeterminate
| cipher preference error: Too few ciphers supported
| warnings:
| Key exchange (dh 1024) of lower strength than certificate key
| TLSv1.2:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 1024) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 1024) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A
| compressors:
| NULL
| cipher preference: server
| warnings:
| Key exchange (dh 1024) of lower strength than certificate key
|_ least strength: A

And finally the /etc/httpd/conf.d/ssl.conf files contains this -

SYSADMIN - File auto-generated by Sysadmin

Any changes you make to this file will be overwritten.

LoadModule ssl_module modules/mod_ssl.so
Listen 443
SSLPassPhraseDialog builtin
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin

ServerName something.something.something:443
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on

This is taken from https://cipherli.st, March 2015. We explicitly don’t support

older browser versions, so we explicitly don’t cater to their https requirements.

SSLCipherSuite AES128+EECDH:AES128+EDH
SSLCertificateFile /etc/httpd/pki/webserver.crt
SSLCertificateKeyFile /etc/httpd/pki/webserver.key
SSLCACertificateFile /etc/httpd/pki/selfsignedca.crt
SetEnvIf User-Agent ‘.MSIE.’ nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0

Thanks in advance for assisting an SSL/TLS noob!

2

cipherli.sh says:

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

See if that fixes it?

3

Thanks Rob!

I believe you are saying to edit the ssl.conf which I can easily do however I was concerned with that this file is auto generated by sysadmin and the changes will not stick on a reload. Any thoughts on where I could add this cipher suite in the FreePBX GUI so the changes are persistent?

4

Not in FreePBX 12.

5

Thanks Andrew. After the change to the ssl.conf do I have to do a httpd reload to make it take effect?

6

Yes :slight_smile:

7

No go on adding this Cipher Suite and restarted httpd. Still shows the same error in FF. Anyone else running V12 out there having the same issue with connecting via HTTPS?

8

Also ran an nmap on 443 and it shows this with the new and original cipher suite…

PORT STATE SERVICE VERSION
443/tcp open ssl/http Apache httpd 2.2.15 ((CentOS))
|http-server-header: Apache/2.2.15 (CentOS)
| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A
| compressors:
| NULL
| cipher preference: indeterminate
| cipher preference error: Too few ciphers supported
| warnings:
| Key exchange (dh 1024) of lower strength than certificate key
| TLSv1.1:
| ciphers:
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A
| compressors:
| NULL
| cipher preference: indeterminate
| cipher preference error: Too few ciphers supported
| warnings:
| Key exchange (dh 1024) of lower strength than certificate key
| TLSv1.2:
| ciphers:
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 1024) - A
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 1024) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 1024) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A
| compressors:
| NULL
| cipher preference: server
| warnings:
| Key exchange (dh 1024) of lower strength than certificate key
| least strength: A

9

You won’t be able to with apache 2.2 or distro 6 sorry

10

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.