Problems setting --ssl-cipherlist on whttpd server
Added by José Luis Rey over 6 years ago
Hello,
I'm trying to disable TLSv1.0, TLSv1.1 as recomended, right now I'm just trying to set the cipherlist as show in the documentation using:
---ssl-cipherlist='ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:[](aNULL:)eNULL:[](EXPORT:)DES:[](RC4:)MD5:[](PSK:)aECDH:[](EDH-DSS-DES-CBC3-SHA:)EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'
Or
---ssl-cipherlist="TLSv1+HIGH:!SSLv2"
Any attempt to set ssl-cipher list ends in:
Error: failed to select ciphers for cipher list "TLSv1+HIGH:!SSLv2"
Start parameters:
starting parameter _argv[0] = m:\ChronoScan\Release\Chrono_wci.exe
starting parameter _argv[1] = ---customdir:C:\ProgramData\ChronoScan.W2012WEBCLOUD
starting parameter _argv[2] = ---https-address=0.0.0.0
starting parameter _argv[3] = ---https-port=443
starting parameter _argv[4] = ---ssl-certificate=.\SSL\ssl2\server.pem
starting parameter _argv[5] = ---ssl-private-key=.\SSL\ssl2\server.key
starting parameter _argv[6] = ---ssl-tmp-dh=.\SSL\ssl2\dh2048.pem
starting parameter _argv[7] = ---http-address=0.0.0.0
starting parameter _argv[8] = ---deploy-path=/
starting parameter _argv[9] = ---http-port=10000
starting parameter _argv[10] = ---docroot=m:\ChronoScan\Release
starting parameter _argv[11] = ---config=m:\ChronoScan\Release\wt_config.xml
starting parameter _argv[12] = ---ssl-cipherlist="TLSv1+HIGH:!SSLv2"
Starting WServer
INFO: Opened log file (c:\witty\release_web.log).
STARTING ON CUSTOM DIRECTORY: C:\ProgramData\ChronoScan.W2012WEBCLOUD
Error: failed to select ciphers for cipher list "TLSv1+HIGH:!SSLv2"
Any idea?
KR
J.Rey
Replies (2)
RE: Problems setting --ssl-cipherlist on whttpd server - Added by Wim Dumon over 6 years ago
Hello Jose,
We pass the cypher suite straight to the OpenSSL function SSL_CTX_set_cipher_list(), so openssl refuses it. Possibly, the double quotes around the cypherlist are the problem. Can you remove them?
Best regards,
Wim.
RE: Problems setting --ssl-cipherlist on whttpd server - Added by José Luis Rey over 6 years ago
Hello Wim,
Yes, removing the quotes works.
I suggest to remove them from the documentation:
https://www.webtoolkit.eu/wt/doc/reference/html/InstallationWindows.html
---ssl-cipherlist arg ....
Example cipher list string:
"TLSv1+HIGH:!SSLv2"
Best regards
J.Rey