I can not change the ciphers in OpenBSD 6.2 in httpd.conf

Question

    tls ciphers "HIGH:!aNULL:!eNULL:!SSLv3:!TLSv1:!DSS:!ECDSA:!RSA:!SHA1:!AES128:!DHE:-ECDH:ECDHE:+SHA384:+SHA256"

/etc/httpd.conf:46: server "domain.ex": tls configuration mismatch on same address/port

Does anyone have any idea?

score 2 · Answer 1 · answered Dec 23 '17 at 17:27

2

Can you show your full configuration? The following starts without error for me on OpenBSD 6.2. Notably the tls must be within a server block, and must be listed individually for each option. (Yes, this is my mail server and a host build system...)

buildsrv_ip="10.11.12.13"

chroot "/home/httpd"

server "default" {
    directory auto index
    listen on $buildsrv_ip tls port 9999
    tls ciphers "HIGH:!eNULL:!SSLv3:!TLSv1:!DSS:!ECDSA:!RSA:!SHA1:!AES128:!DHE:-
ECDH:ECDHE:+SHA384:+SHA256"
    tls certificate "/etc/mail/host.crt"
    tls key "/etc/mail/host.key"
}

answered Dec 23 '17 at 17:27

thrig

34,333
3
63
84

https://www.ssllabs.com/ssltest/analyze.html?d=rootbsd.at – Vim Dec 25 '17 at 14:54
Thank you very much, it works. It must be in the server "domain.at" block and in the server "default" block also! Otherwise it displays tls configuration mismatch. https://www.ssllabs.com/ssltest/analyze.html?d=rootbsd.at – Vim Dec 25 '17 at 15:05

I can not change the ciphers in OpenBSD 6.2 in httpd.conf

1 Answers1