Serviio

DLNA media server
https://forum.serviio.org/

How to disable 3DES-CBC ciphers

https://forum.serviio.org/viewtopic.php?f=5&t=23898

Page 1 of 1

How to disable 3DES-CBC ciphers

PostPosted: Sat Jul 15, 2017 3:23 pm
by afunix
Hi.
3DES ciphers are known to be vulnerable to SWEET32.
Is there any way to configure ciphers for Serviio?

The actual openssl names of the vulnerable modes:
ECDHE-RSA-DES-CBC3-SHA (3DES-CBC w/ SHA1 and ECDH kx)
DES-CBC3-SHA (3DES-CBC w/ SHA1 and RSA kx)
EDH-RSA-DES-CBC3-SHA (3DES-CBC w/ SHA1 and DH kx)


More info on sweet32:
https://sweet32.info/
https://www.openssl.org/blog/blog/2016/08/24/sweet32/

Re: How to disable 3DES-CBC ciphers

PostPosted: Sat Jul 22, 2017 4:04 pm
by afunix
Ok, you'll need to add something like '-Djava.security.properties==/home/pc5dczcbl5yt/java.security' (note double ==) to serviio JAVA_OPTS.
Then copy default java security file (jre/lib/security/java.security) and update some options.

I've updated:
jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 2048, DSA keySize < 1024, EC keySize < 224
jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 2048, DESede, DH_RSA, CBC, SHA-1, SHA-224
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, EC keySize < 224, TLSv1, DH_RSA, CBC, SHA-1, SHA-224
jdk.tls.legacyAlgorithms=


Hope it helps somebody

Re: How to disable 3DES-CBC ciphers

PostPosted: Sun Jul 23, 2017 11:22 am
by zip
awesome, thanks
All times are UTC
Page 1 of 1
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
http://www.phpbb.com/