Skip to main content

Tutorial: Harden the Web Server Cipher Suite String

Abstract

Increase Access Server security by hardening the web server cipher suite string. Here's how.

Overview

HTTPS-protected web services must define which encryption ciphers they support. This is a balance of security versus compatibility. The strongest security makes the web interface inaccessible on older platforms. We try to choose a default Access Server setting that supports current operating systems and browsers. You can adjust the cipher suite string for your needs.

Important

This is Access Server's default cipher suite string:

DEFAULT:!MEDIUM:!LOW:!kDH:!kECDH:!DSS:!PSK:!SRP:!kRSA

Step 1: List the current cipher suite string

  1. Connect to your console and get root privileges.

  2. Run the following sacli command:

    sacli ConfigQuery | grep -i "cs.openssl_ciphersuites"

    • The default above applies if nothing shows OR the output displays the cipher suite string you've set.

Step 2: Set a custom cipher suite string

  • Run the following sacli commands to set a custom string (using your preferred cipher suite string values in place of ours):

    sacli --key "cs.openssl_ciphersuites" --value 'DEFAULT:!MEDIUM:!LOW:!kDH:!kECDH:!DSS:!PSK:!SRP:!kRSA' ConfigPut
sacli start

Tip

Ensure you use single quotes instead of double quotes around the cipher suite string.

Reset the cipher suite string to default

If you've set the cipher suite string using the commands above, you can delete the configuration key to restore it to the default settings.

  • Run the following sacli commands to delete the configuration key and reset to the default cipher suite string setting:

    sacli --key "cs.openssl_ciphersuites" ConfigDel
sacli start

Optional: Configure cluster cipher suite settings

In Access Server 3.0 and newer, cluster communication uses the same web service port (TCP 943) as the Admin and Client Web UIs. It shares the same TLS cipher suite configuration you've already defined in Step 2.

⚠️ Starting with Access Server 3.0.0:

  • The ssl_api interface (TCP 945) is no longer used.

  • Cluster communication now shares the web service port TCP 943, and uses the same cipher suite settings.

  • The configuration key ssl_api.openssl_ciphersuites has no effect and is ignored.

Additionally, cluster-related sacli commands now require an admin user to authenticate:

  • If your setup doesn't include an openvpn user with admin rights, you must specify a valid admin account when running cluster commands:

    ./sacli --auth_token_user=your_admin_user1 ClusterNodesStatus2

    1

    Ensure the user you specify has administrative rights in Access Server.

    2

    Without including a valid admin account, you'll see an error such as: ERROR: Cannot make API call without auth token...

Reset the cluster cipher suite string to default

If you've set the cluster cipher suite string separately using the commands above, you can delete the configuration key to restore it to the default settings.

  • Run the following sacli commands to delete the configuration key:

    sacli --key "ssl_api.openssl_ciphersuites" ConfigDel
In this section: