I’m running Nmap against my Asterisk system and noticing that the built-in Mini-HTTP server has a weak cipher enabled (3DES). When I do the scan, there are 14 “Class A” ciphers and 1 “Class C” cipher (3DES) available.
In the FreePBX GUI, I was able to go in and disable TLS 1.0 and 1.1 (so thanks for that), but I can’t for the life of me figure out to specify which ciphers I want.
I try manually specify which Ciphers I want by modifying ‘/etc/asterisk/http_custom’ and adding them onto there. But for some reason I can’t ever get more than 2 to work. So either my naming is
wrong (probably), or it only supports 2 manually specified ciphers?
I’ve been trying for days to find a list of all of the ciphers that this Mini-HTTP server will support. I’ve been trying combinations of names for ciphers and no luck.
Was really hoping that someone on here might have that information handy, or know where it’s documented.
The text below is the output from my Nmap scan.
PORT STATE SERVICE VERSION
8089/tcp open ssl/http Asterisk 18.17.1
|_http-server-header: Asterisk/18.17.1
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| compressors:
| NULL
| cipher preference: server
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
Thanks.