zoraxy icon indicating copy to clipboard operation
zoraxy copied to clipboard
verified publisher icon tobychui

[ENHANCEMENTS] Ability to Disable Weak Ciphers in ACME Registration Menu

Open wreid23 opened this issue 1 year ago • 6 comments

Is your feature request related to a problem? Please describe. Would like the ability to disable Weak Cyphers via gui if possible.

Describe the solution you'd like Show the Ciphers Used in Registration or After Registration and allow us to disable the Weak ones and or remove them as some of the other reverse proxies have already done. (Caddy for Example)

Specifically: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH secp521r1 (eq. 15360 bits RSA) FS WEAK 128 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH secp521r1 (eq. 15360 bits RSA) FS WEAK 256 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012) ECDH secp521r1 (eq. 15360 bits RSA) FS WEAK 112

{F0748DEC-11EC-402C-90FE-715BEB2775AB}

Describe alternatives you've considered Option A: hard removal by you (which is probably something worth considering as its already pretty good out of the box but this can get alot of people to A+ SSL Security on SSLLabs without thinking about it and button up a common attack vector

Option B: Some way to disable on registration in advanced menu:

Show list of the ciphers in gui:: https://caddyserver.com/docs/caddyfile/directives/tls https://caddyserver.com/docs/caddyfile/directives/tls#ciphers

Option C: Using Existing Acme Registration submenu:
Cyphers that will be used is shown or we can type list of accepted cyphers like an advanced header in a text box https://caddyserver.com/docs/caddyfile/directives/tls#ciphers

Additional context Add any other context or screenshots about the feature request here.

wreid23 avatar Nov 06 '24 05:11 wreid23

@yeungalan I have no idea about whats that as I am not an expert in networking, I will let you handle that :D

tobychui avatar Nov 06 '24 13:11 tobychui

Is there any progress in this enhancement? Would like to know how to disable it manually.

xXValiXx avatar Feb 04 '25 12:02 xXValiXx

@xXValiXx No, this is already out of my expertise. This enhancement request will be left here until someone contribute some code to make it work.

tobychui avatar Feb 04 '25 12:02 tobychui

Is there any progress in this enhancement? Would like to know how to disable it manually.

In src/mod/dynamicproxy/dynamicproxy.go line 84 you can replace

config := &tls.Config{
	GetCertificate: router.Option.TlsManager.GetCert,
	MinVersion:     uint16(minVersion),
}


with

// Load Custom Ciphers (taken from Mozilla generator intermediate profile)
var tlsCipherSuites = []uint16{
	tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, // Only works when setting CurvePreferences
	tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
	tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
	tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
	tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
	tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
}
config := &tls.Config{
	GetCertificate: router.Option.TlsManager.GetCert,
	CipherSuites:   tlsCipherSuites,
	MinVersion:     uint16(minVersion),
	// Optional for Windows 7 and 8.1 support
	CurvePreferences: []tls.CurveID{
			tls.X25519,
			tls.CurveP384,
			tls.CurveID(tls.Ed25519),
	},
}

then build and deploy. Tested this with NextCloud, Jellyfin and docker services and so far no problems. Qualy SSL Lab and OpenVAS show the Cipher Suite has been updated, but I have no experience with Go and do not know much of zoraxys programming.

TomOdellSheetMusic avatar Apr 30 '25 16:04 TomOdellSheetMusic

@TomOdellSheetMusic Thanks for the snippet!

I am not an expert in cryto stuffs, but if my assumption is correct, I just need to make a checkbox in the UI and allow user to optionally add that into the tls.Config then this issue will be resolved right?

What might be the potential issues if I just copy the tlsCipherSuites you provided instead of, let say allowing user to pick which one they want?

tobychui avatar May 01 '25 01:05 tobychui

Hey, thank you for the reply!

The issue of the weak ciphers being offered to clients would be resolved. The cipher suites I provided will remove compatibility with Windows 7, 8, 8.1 and Safari 6,7,8 and perhaps a few more obscure devices. It is possible to support older Windows devices without adding a weak cipher, but it involves setting curve preferences in the tls.Config to support the ECDSA ciphers I stupidly included (updated my previous comment). These ciphers also will not provide a 100% on key exchange or Cipher Strength on ssllabs, it's just whats recommended by Mozilla. If users could pick their own cipher suites that would be awesome, but they could make Zoraxy unavailable by removing a http/2 required cipher suite, which needs at least one of TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 or TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256.

Hope this was helpful and thank you for the awesome work!

TomOdellSheetMusic avatar May 01 '25 14:05 TomOdellSheetMusic