I want to remove this highlighted (bold) tls encryption(How do I disable MEDIUM and WEAK/LOW strength ciphers)

akshay · April 5, 2023, 10:05am

I want to remove following highlighted TLS which is mentioned as F

Nmap scan report for 192.168.6.1
Host is up (0.0010s latency).

PORT    STATE SERVICE  VERSION
443/tcp open  ssl/http lighttpd
| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 1024) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 1024) - A
     ( **TLS_DH_anon_WITH_AES_256_GCM_SHA384 (dh 1024) - F**)remove
** TLS_DH_anon_WITH_AES_256_CBC_SHA256 (dh 1024) - F**)remove
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 1024) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 1024) - A
|

(TLS_DH_anon_WITH_AES_128_GCM_SHA256 (dh 1024) - F
| TLS_DH_anon_WITH_AES_128_CBC_SHA256 (dh 1024) - F )//remove

|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
*|    (   TLS_RSA_WITH_NULL_SHA256 (rsa 2048) - F*)remove
|     compressors:
|       NULL
|     cipher preference: server
|     warnings:
|       Anonymous key exchange, score capped at F
|       Key exchange (dh 1024) of lower strength than certificate key
|_  least strength: F

flygarn12 · April 5, 2023, 10:54am

What have you actually scanned with nmap to begin with to get this result?

And is this a OpenWrt device?
And what version of OpenWrt?

akshay · April 5, 2023, 11:01am

OpenWrt SNAPSHOT r0-7160559

Wallbanger · April 5, 2023, 6:58pm

This is done with https://www.oreilly.com/library/view/web-penetration-testing/9781788623377/20de9f00-5660-48d2-be7c-8d2f3de4a840.xhtml

HTH

flygarn12 · April 5, 2023, 11:05pm

But that test doesn’t go higher than tls1.2 and that is an old disaster for the chipersuits that shouldn’t be used.

You need tls1.3 where all those old crap chiphersuits is thrown out in the garbage.

neheb · April 6, 2023, 2:08pm

I'm guessing this is luci-ssl. Which backend? OpenSSL , wolfSSL, or mbedTLS.

lleachii · April 6, 2023, 2:18pm

Are you sure that is accurate?

???

gstrauss · May 3, 2023, 6:08am

Please update your openwrt to latest, including the latest version of lighttpd.
Modern versions of lighttpd default to TLSv1.2 and later, and default to a strong set of ciphersuites, unless your configuration overrides the configuration. Review your lighttpd config in /etc/lighttpd/lighttpd.conf and in /etc/lighttpd/conf.d/*.conf, and comment out ssl.cipher-list to get the default, strong ciphersuite configuration.