Change SSL Ciphers and Disable TLS v1.0

[egawrangler]

I have found several files which contain the information i am after:

/etc/apache-sys-proxy-ssl.conf
/etc/default_config/apache-ssl.conf
/etc/default_config/apache-sys-proxy-ssl.conf.tplt
/mnt/HDA_ROOT/.config/apache/extra/apache-ssl.conf

Specifically, I want to change the cipher suites used (here is the original)-->
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

And I also want to disable support for TLSv.10 (here is the original)-->
SSLProtocol All -SSLv2 -SSLv3

I know what changes to make, but it seems after every file I edit, everything is reset upon reboot. I am only interested in the SSL configuration for the native web UI, not the standalone web server/vhosts. Does anyone know which file or script I need to modify such that the ciphers and SSL/TLS protocol selections persist upon reboot? Thanks!

PS: PM Wilson, please spare me the "why would you want to do this?!?! remarks...I really just want to learn how to apply this change"

[pwilson]

I have found several files which contain the information i am after:

/etc/apache-sys-proxy-ssl.conf
/etc/default_config/apache-ssl.conf
/etc/default_config/apache-sys-proxy-ssl.conf.tplt
/mnt/HDA_ROOT/.config/apache/extra/apache-ssl.conf

Specifically, I want to change the cipher suites used (here is the original)-->
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

And I also want to disable support for TLSv.10 (here is the original)-->
SSLProtocol All -SSLv2 -SSLv3

I know what changes to make, but it seems after every file I edit, everything is reset upon reboot. I am only interested in the SSL configuration for the native web UI, not the standalone web server/vhosts. Does anyone know which file or script I need to modify such that the ciphers and SSL/TLS protocol selections persist upon reboot? Thanks!

PS: PM Wilson, please spare me the "why would you want to do this?!?! remarks...I really just want to learn how to apply this change"

Under which Firmware version?

You still haven't figured out how to provide basic information, so you won't have to worry about my asking why you would want to do anything. You do ask really intelligent questions, it's a pity you don't provide enough information for anyone to be able to provide intelligent answers. You are asking a Firmware related question again. (You have made 2 posts to this Forum - both about Firmware, neither of which provide Firmware information).

We do actually want to help you, but we can't, simply because you choose not to provide basic information. I'll say it again.... Please review article: When you're asking a question, please include the following.

[egawrangler]

WHAT??? WHAT!?! I posted here twice without providing firmware information!! Burn me at the stake! Hang me from a tree!

Please PM Wilson, please have mercy on my soul.

I have looked at so many posts on this forum where you provide advice/help/guidance, but always with a heavy dose of pedantic, arrogant, and rude retort. Pithy passive-aggressive replies woven into needlessly dramatic prose. Can this be spared just this once? Pretty please?

Firmware 4.1.3, 0313.

[dls]

Has anyone had any success in disabling TLSv1.0 fully?

[giopas]

I am not sure but in order to prevent that a change is overwritten after a reboot, you may want to look at the following folder: /etc/default_config/ and more specifically to .tplt files. But I have not tested it.

[Maximilious]

Apologies for the necro-bump, but with the industry standard deeming TLS 1.0 and 1.1 unfit for public facing sites, this is a bit of a concern now. I'm glad to know my TS-653B is able to receive an A grade on http://www.ssllabs.com, but it would be great to have a bit more control via locking down allowed TLS versions and cipher strengths if possible.

I personally haven't gone poking around the filesystem, but as of version 4.3.4.0516, is there a way to reliably disable antiquated TLS and insecure or weak cipher versions?

Here's my output from ssllabs.com:

Protocols
TLS 1.3 No
TLS 1.2 Yes
TLS 1.1 Yes
TLS 1.0 Yes
SSL 3 No
SSL 2 No
For TLS 1.3 tests, we currently support draft version 18.



Cipher Suites
# TLS 1.2 (suites in server-preferred order)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH secp256r1 (eq. 3072 bits RSA) FS 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH secp256r1 (eq. 3072 bits RSA) FS 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH secp256r1 (eq. 3072 bits RSA) FS 128
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) WEAK 128
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) WEAK 128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) WEAK 128
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH secp256r1 (eq. 3072 bits RSA) FS 256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH secp256r1 (eq. 3072 bits RSA) FS 256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH secp256r1 (eq. 3072 bits RSA) FS 256
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) WEAK 256
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) WEAK 256
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) WEAK 256

# TLS 1.1 (suites in server-preferred order)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH secp256r1 (eq. 3072 bits RSA) FS 128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) WEAK 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH secp256r1 (eq. 3072 bits RSA) FS 256
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) WEAK 256

# TLS 1.0 (suites in server-preferred order)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH secp256r1 (eq. 3072 bits RSA) FS 128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) WEAK 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH secp256r1 (eq. 3072 bits RSA) FS 256
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) WEAK 256