Forum

Selecting SSL Ciphers to use

Steve
19 November 2018, 21:55
Hi,
How do i get Hiawatha to only use certain SSL ciphers,
these are the only 2 i want to use
AES128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEAD
AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256

i added AllowedCiphers = ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256 to config file and it gives me an error!
Syntax error in hiawatha.conf on line 19.
Thanks
Hugo Leisink
22 November 2018, 16:07
That's not a valid configuration setting. Why change Hiawatha's SSL/TLS settings? There is nothing wrong with it. If you really, really want to change it, edit its source: src/tls.c.
Dave
26 November 2018, 09:55
Hi Hugo

Seems I need to do what Steve is asking for a config option for, as well.

On some older web clients, IE9 and older iPhones etc AES_128 GCM_SHA256 128bit works

On all the clients I normally use, and Hiawatha seems to serve, AES_256 GCM_SHA384 256bit is just fine. The older clients fail.

Unfortunately it's a flawed world out there. Do I really have to mess with source and recompile to do what's needed to service the older clients. Or have I missed something.

I'm very happy with Hiawatha, thanks for a great server, but could it be for this particular job I might have to go back to something else with these SSL config options.

Let's Encrypt test website - https://helloworld.letsencrypt.org/ - works with the older clients, but my Hiawatha served sites do not. The only difference I can find are the above encryption levels - otherwise, certificate details are identical.

Hopefully you can give me some insight on this.

Many thanks.

Dave
26 November 2018, 10:20
Incidentally, your site, and many others operated on Linux servers with security concious admins, has the same issue on the old clients:

IE9 on Vista says:

Could not connect to the secure web server
"www.hiawatha-webserver.org"
The host may be down, or may not support a secure connection.

Your site seems to offer the same higher encryption levels as mine and all the others, but helloworld.letsencrypt.org with the lower ones works just fine.
commandline.be
27 November 2018, 00:55
Been there before dave, recompiling hiawatha is not hard at all.

Question is, why on earth do you need to serve IE9 ? That browser is so old and full of bugs and security holes it was abandoned by Microsoft. Which should tell you something, since this is Microsoft.
Hugo Leisink
27 November 2018, 13:22
If you edit src/tls.c, you can add ciphers which can be found in mbedtls/include/mbedtls/ssl_ciphersuites.h. My advice, don't waste time on people using IE9. It's old, not secure and unsupported. Don't reward people who still use old crap by supporting that old crap.
Steve
1 December 2018, 23:38
Hi Hugo,

I was getting what Dave was getting on IE10 & IE11 a lot of people still use them browsers and was saying something about RC4?
Could not connect to the secure web server
"www.hiawatha-webserver.org"
The host may be down, or may not support a secure connection. also got it sometimes on newer browsers but if I clicked refresh it was fine, trouble is it looks bad to our visitors

Thanks
Steve
Steve
1 December 2018, 23:41
sorry didn't mean to include the forums url i meant our sites url
Dave
2 December 2018, 03:07
Thanks Hugo and commandline.be for your responses.

I agree fully with your sentinments about IE9 etc. The thing is, that even IE11, which is still fairly common due to Windows 7, still does not work for a range of common javascript features such as dynamic assignent of new properties to an object. I therefore test on IE9, then do the workarounds which mostly ensures IE10 and IE11 will work also.

Another reason for testing on Vista/IE9 is that I don't want to pay yet another M$ tax and reward them for creating crap and pushing it down my throat! It's getting a bit personal at this stage, me having already paid for all the alpha rubbish they call release, from 95a, c, d, 98, ME and Vista. And, I haven't used windows for anything since 1999; except creating workarounds for their crappy browsers that don't meet W3C standards. Anyone for a worldwide joint action against them for not fit for purpose products...

In the end I worked around the issue for testing by migrating my hiawatha container to my local machine, and running unencrypted just for local testing.

It still makes me feel uneasy that an unknown number of people can't view my websites - they don't know that they are the problem - that's why I think the letsencrypt test site approach of relaxing encryption strength, for now, is a good compromise.

Hugo, I think it would be well received if you could see your way clear to providing a legacy encryption strength config option.

Many thanks anyway. Hiawatha is great in every situation I've used it; from raspberry pi's to containerised and standard web servers. Always performs well, even on an absolute minimum of resources!
Dave
2 December 2018, 03:16
Steve I just noticed your response too.

I feel uneasy about looking bad to visitors with older software too. We all know that M$ is the real problem, but users in general just expect things to work, especially when they paid for their software that they generally have no idea is flawed.

It looks like this problem might be going away with Edge almost working properly. But it'll be a couple of years before I think we should sacrafice users with the older software. It's not their fault that M$ refuses to allow their latest browser to work in older versions of Windows!
Hugo Leisink
2 December 2018, 20:53
Forget RC4. It's old, weak and vulnerable. Personally, I don't think many people still use IE9. My guess is that most of the failed HTTPS connections are due to old crawler scripts. Just ignore it. Not your problem.
commandline.be
3 December 2018, 15:29
there are actually Microsoft VM available for download with just a suitable browser running in them :-)
Gordon
3 December 2018, 23:40
I run an outreach medical education site, and I am very interested in the maximum number of people from third world countries being able to visit my site. All considerations balanced, I moved my site completely encrypted and dropped old IExploder versions under the assumption that people who still use Vista and XP will have access to Chrome or Mozilla. I used to run an unencrypted front door that ran a browser check (actually a tls check... if < 1.2) and pushed older Exploders to install Chrome or Moz Firefox to visit the full site. Always an option...
Allowed BBcodes:
[quote]
[code]
[config]
[url]
[color]
[size]
[img]
[b]
[i]
[u]
[s]
[list]
[ul]
[ol]
[*]