Project

General

Profile

Problems setting --ssl-cipherlist on whttpd server

Added by José Luis Rey over 6 years ago

Hello,

I'm trying to disable TLSv1.0, TLSv1.1 as recomended, right now I'm just trying to set the cipherlist as show in the documentation using:

---ssl-cipherlist='ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:[](aNULL:)eNULL:[](EXPORT:)DES:[](RC4:)MD5:[](PSK:)aECDH:[](EDH-DSS-DES-CBC3-SHA:)EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'

Or

---ssl-cipherlist="TLSv1+HIGH:!SSLv2"

Any attempt to set ssl-cipher list ends in:

Error: failed to select ciphers for cipher list "TLSv1+HIGH:!SSLv2"

Start parameters:

starting parameter _argv[0] = m:\ChronoScan\Release\Chrono_wci.exe

starting parameter _argv[1] = ---customdir:C:\ProgramData\ChronoScan.W2012WEBCLOUD

starting parameter _argv[2] = ---https-address=0.0.0.0

starting parameter _argv[3] = ---https-port=443

starting parameter _argv[4] = ---ssl-certificate=.\SSL\ssl2\server.pem

starting parameter _argv[5] = ---ssl-private-key=.\SSL\ssl2\server.key

starting parameter _argv[6] = ---ssl-tmp-dh=.\SSL\ssl2\dh2048.pem

starting parameter _argv[7] = ---http-address=0.0.0.0

starting parameter _argv[8] = ---deploy-path=/

starting parameter _argv[9] = ---http-port=10000

starting parameter _argv[10] = ---docroot=m:\ChronoScan\Release

starting parameter _argv[11] = ---config=m:\ChronoScan\Release\wt_config.xml

starting parameter _argv[12] = ---ssl-cipherlist="TLSv1+HIGH:!SSLv2"

Starting WServer

INFO: Opened log file (c:\witty\release_web.log).

STARTING ON CUSTOM DIRECTORY: C:\ProgramData\ChronoScan.W2012WEBCLOUD

Error: failed to select ciphers for cipher list "TLSv1+HIGH:!SSLv2"

Any idea?

KR

J.Rey


Replies (2)

RE: Problems setting --ssl-cipherlist on whttpd server - Added by Wim Dumon over 6 years ago

Hello Jose,

We pass the cypher suite straight to the OpenSSL function SSL_CTX_set_cipher_list(), so openssl refuses it. Possibly, the double quotes around the cypherlist are the problem. Can you remove them?

Best regards,

Wim.

RE: Problems setting --ssl-cipherlist on whttpd server - Added by José Luis Rey over 6 years ago

Hello Wim,

Yes, removing the quotes works.

I suggest to remove them from the documentation:

https://www.webtoolkit.eu/wt/doc/reference/html/InstallationWindows.html

---ssl-cipherlist arg ....

Example cipher list string:

"TLSv1+HIGH:!SSLv2"

Best regards

J.Rey

    (1-2/2)