VTS secure cipher suites configuration for TLS 1.2 & 1.3

1 Likes

Hi guys,

when you have to offer VTS over HTTPS, you have to define some configrations in configuration.json file.

BUT: there is a TLS padding oracle vulnerability in some cipher suites with ECDHE-RSA-AES256-SHA

Securiy Scan resulted: GOLDENDOODLE vulnerability found with ECDHE-RSA-AES256-SHA on TLSv1.2

So I've had to figure out, how to configure the value in "ciphers" besides "ALL" which is the only description in the onine help.

To get you out of trouble I share my knowledge with you, which works and is adaptable for future use.

"useSSL": true,
        "certificate": "PATH_TO_VALID_CERTIFICATE.pem",
        "privateKey": "PATH_TO_PRIVATE_KEY-FILE.key",
        "passphrase": "PRIVTAE_SECUREKEY",
        "ca": "vts.cer",
        "minVersion": "TLSv1.2",
        "maxVersion": "TLSv1.3",
        "ciphers": "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!SRP:!CAMELLIA",
        "requestClientCert": false

Labels:

Customer Stories
How To-Best Practice
Support Tip
Comment List
Anonymous
Related Discussions
Recommended