Customizing TLS and SSH Ciphers
CVP uses nginx to front and terminate all HTTPS connections. To support HTTPS, the server must be configured with a certificate. A selfsigned certificate is generated at first bootup.
Configuring Custom TLS Ciphers
Complete these steps to configure custom TLS ciphers.
Nginx, the web server software, uses TLS ciphersuites that are considered safe to use, but may not meet the security standards of certain organizations. It is possible to change the settings used by adding or changing ssl_ciphers in /etc/nginx/conf.d/cvpi-server.conf (pre 2021.2.0) or /etc/nginx/conf.d/servers/cvpi-server.conf (post 2021.2.0) under the server block.
Configuring Custom SSH Cipher
Complete these steps to configure custom SSH ciphers.
Note: Upgrading CVP removes custom SSH ciphers. You must reconfigure SSH ciphers
after the upgrade.
Strong KEX Algorithm
- Modify the file/etc/cvpi/sshd_config Below are all the ciphers and
key exchange methods that can be used on CVP. You can remove those methods
which the customer does not want,You can keep the following lines at the end
of the file /etc/cvpi/sshd_config
Ciphers 该邮件地址已受到反垃圾邮件插件保护。要显示它需要在浏览器中启用 JavaScript。,aes128-ctr,aes192-ctr,aes256-ctr,该邮件地址已受到反垃圾邮件插件保护。要显示它需要在浏览器中启用 JavaScript。,该邮件地址已受到反垃圾邮件插件保护。要显示它需要在浏览器中启用 JavaScript。 KexAlgorithms curve25519-sha256,该邮件地址已受到反垃圾邮件插件保护。要显示它需要在浏览器中启用 JavaScript。,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
- Save the file and validate the syntax of the file using the command sshd -t -f /etc/cvpi/sshd_config. After running this command, it should throw any error.
- Reload the sshd service by issuing systemctl reload sshd and after that verify whether the sshd service came up by checking the output of systemctl status sshd. Now the weak key exchange algorithms will have gone away.