Skip to content
This repository has been archived by the owner on Nov 18, 2022. It is now read-only.

Disable weak crypto for the webserver #295

Closed
m4rg4sh opened this issue Oct 18, 2016 · 2 comments
Closed

Disable weak crypto for the webserver #295

m4rg4sh opened this issue Oct 18, 2016 · 2 comments

Comments

@m4rg4sh
Copy link

m4rg4sh commented Oct 18, 2016

If you enable the secure port for the web-gui the default crypto settings are outdated and insecure.
This SSL/TLS test gives the server the grade F.

Please disable SSLv3, RC4, DES, and maybe even 3DES. All modern browsers will still be able to connect but the security will be massively improved.

Alternatively an option to configure these settings from the gui would be welcome.
@hugbug
Copy link
Member

hugbug commented Oct 18, 2016
edited
Loading

I think all modern browsers already negotiate secure ciphers and protocols. Disabling of less secure ones will not change a thing for them but may bring troubles when connecting from older devices.

@m4rg4sh
Copy link
Author

m4rg4sh commented Oct 18, 2016
edited
Loading

An attacker can manipulate the handshake and force a downgrade to SSLv3 (POODLE)
This is why it should at least be possible to manually disable SSLv3 in the settings.

hugbug added a commit that referenced this issue Nov 15, 2016
@hugbug
#295: disabled SSLv3 in built-in web-server
a03e7cd
@hugbug hugbug closed this as completed Nov 15, 2016
hugbug added a commit that referenced this issue Oct 9, 2017
@hugbug
#295: disabled SSLv3 in built-in web-server
3b6d30c
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hugbug @m4rg4sh