Asterisk MiniHTTP server TLS Ciphers

I’m running Nmap against my Asterisk system and noticing that the built-in Mini-HTTP server has a weak cipher enabled (3DES). When I do the scan, there are 14 “Class A” ciphers and 1 “Class C” cipher (3DES) available.

In the FreePBX GUI, I was able to go in and disable TLS 1.0 and 1.1 (so thanks for that), but I can’t for the life of me figure out to specify which ciphers I want.

I try manually specify which Ciphers I want by modifying ‘/etc/asterisk/http_custom’ and adding them onto there. But for some reason I can’t ever get more than 2 to work. So either my naming is
wrong (probably), or it only supports 2 manually specified ciphers?

I’ve been trying for days to find a list of all of the ciphers that this Mini-HTTP server will support. I’ve been trying combinations of names for ciphers and no luck.

Was really hoping that someone on here might have that information handy, or know where it’s documented.

The text below is the output from my Nmap scan.

8089/tcp open ssl/http Asterisk 18.17.1
|_http-server-header: Asterisk/18.17.1
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| compressors:
| cipher preference: server
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack


The cipher list uses OpenSSL naming for things, in fact the string is just given to OpenSSL as-is. Asterisk has no idea of the cipher naming. The default is in the sample config file[1]. You can prune that.

[1] asterisk/http.conf.sample at master · asterisk/asterisk · GitHub

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.