I want to remove this highlighted (bold) tls encryption(How do I disable MEDIUM and WEAK/LOW strength ciphers)

I want to remove following highlighted TLS which is mentioned as F

Nmap scan report for
Host is up (0.0010s latency).

443/tcp open  ssl/http lighttpd
| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:​
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 1024) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 1024) - A
     ( **TLS_DH_anon_WITH_AES_256_GCM_SHA384 (dh 1024) - F**)remove
** TLS_DH_anon_WITH_AES_256_CBC_SHA256 (dh 1024) - F**)remove
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 1024) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 1024) - A

(TLS_DH_anon_WITH_AES_128_GCM_SHA256 (dh 1024) - F
| TLS_DH_anon_WITH_AES_128_CBC_SHA256 (dh 1024) - F )//remove

|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
*|    (   TLS_RSA_WITH_NULL_SHA256 (rsa 2048) - F*)remove
|     compressors:
|       NULL
|     cipher preference: server
|     warnings:
|       Anonymous key exchange, score capped at F
|       Key exchange (dh 1024) of lower strength than certificate key
|_  least strength: F

What have you actually scanned with nmap to begin with to get this result?

And is this a OpenWrt device?
And what version of OpenWrt?

OpenWrt SNAPSHOT r0-7160559


This is done with https://www.oreilly.com/library/view/web-penetration-testing/9781788623377/20de9f00-5660-48d2-be7c-8d2f3de4a840.xhtml


But that test doesn’t go higher than tls1.2 and that is an old disaster for the chipersuits that shouldn’t be used.

You need tls1.3 where all those old crap chiphersuits is thrown out in the garbage.

I'm guessing this is luci-ssl. Which backend? OpenSSL , wolfSSL, or mbedTLS.

1 Like

Are you sure that is accurate?


1 Like

Please update your openwrt to latest, including the latest version of lighttpd.
Modern versions of lighttpd default to TLSv1.2 and later, and default to a strong set of ciphersuites, unless your configuration overrides the configuration. Review your lighttpd config in /etc/lighttpd/lighttpd.conf and in /etc/lighttpd/conf.d/*.conf, and comment out ssl.cipher-list to get the default, strong ciphersuite configuration.

1 Like