1

My yaws server is exposed to the poodlebleed exploit and I want to modify the supported ciphers to reduce or eliminate the risk. I have tried numerous combinations of cipher strings based on the ciphers man page. Every attempt has resulted in "Bad cipherspec" or "unexpected input".

Having searched the web for an example and having found none, I am hoping one of you has a working example they can share. While it is likely operator error, the server is running erlang R16B-03.7.el7 and yaws 1.98-2.el7.

Air
  • 8,274
  • 2
  • 53
  • 88
Bill Ott
  • 15
  • 4

1 Answers1

1

First, while not a direct answer to your question, note that I recently augmented Yaws with a new SSL config setting, protocol_version, which allows you take SSLv3 out completely. This is on Yaws master at github. To use it, you set the protocol_version config variable in an ssl config block, like this:

<ssl>
    protocol_version = tlsv1.2, tlsv1.1, tlsv1
</ssl>

If you're willing to upgrade, this can help address the POODLE vulnerability.

Now, to answer your question: you set ciphers with a string containing Erlang terms like those returned from the ssl:cipher_suites/0 function. If I invoke this function from an interactive Yaws session, for example, I get:

1> ssl:cipher_suites().
[{ecdhe_ecdsa,aes_256_cbc,sha384},
 {ecdhe_rsa,aes_256_cbc,sha384},
 {ecdh_ecdsa,aes_256_cbc,sha384},
 {ecdh_rsa,aes_256_cbc,sha384},
 ...

There's much more output, but I abbreviated it as what can be seen here is enough to help answer your question. The example below sets ciphers in yaws.conf to just the first two tuples from the above output:

<ssl>
    ciphers = "[{ecdhe_ecdsa,aes_256_cbc,sha384},{ecdhe_rsa,aes_256_cbc,sha384}]"
</ssl>

And as for documentation, there's an example like this in the Yaws conf man page.

Steve Vinoski
  • 19,847
  • 3
  • 31
  • 46
  • Thanks, Steve. That was what I was looking for. The yaws.pdf on the web site is lacking this clarity. – Bill Ott Oct 20 '14 at 18:44