Customizing TLS and SSH Ciphers

CVP uses nginx to front and terminate all HTTPS connections. To support HTTPS, the server must be configured with a certificate. A self­signed certificate is generated at first bootup.

Configuring Custom TLS Ciphers

Complete these steps to configure custom TLS ciphers.

Nginx, the web server software, uses TLS ciphersuites that are considered safe to use, but may not meet the security standards of certain organizations. It is possible to change the settings used by adding or changing ssl_ciphers in /etc/nginx/conf.d/cvpi-server.conf (pre 2021.2.0) or /etc/nginx/conf.d/servers/cvpi-server.conf (post 2021.2.0) under the server block.

  1. Using the appropriate path for your version of CloudVision, create a file that contains all of the SSL ciphers you need. Any open SSL cipher string can be used.
    • /etc/nginx/conf.d/cvpi-server.conf (pre 2021.2.0)
    • /etc/nginx/conf.d/servers/cvpi-server.conf (post 2021.2.0)
  2. Run the following command to make sure the configuration does not contain any errors:
    /usr/sbin/nginx -t -c/etc/nginx/conf.d/cvpi-server.conf 

    or

    /usr/sbin/nginx -t -c/etc/nginx/conf.d/servers/cvpi-server.conf

  3. Run the following command to reload nginx with the updated configuration.
    systemctl reload nginx 

Configuring Custom SSH Cipher

Complete these steps to configure custom SSH ciphers.

Note: Upgrading CVP removes custom SSH ciphers. You must reconfigure SSH ciphers after the upgrade.
  1. Edit the/etc/cvpi/sshd_configto include custom ciphers and MAC definitions.
  2. Run the following command to make sure the configuration does not contain any errors:
    sshd -t -f /etc/cvpi/sshd_config
  3. Run the following command to reload sshd with the updated configuration.
    systemctl reload sshd 

Strong KEX Algorithm

  1. Modify the file/etc/cvpi/sshd_config Below are all the ciphers and key exchange methods that can be used on CVP. You can remove those methods which the customer does not want,You can keep the following lines at the end of the file /etc/cvpi/sshd_config
    Ciphers 该邮件地址已受到反垃圾邮件插件保护。要显示它需要在浏览器中启用 JavaScript。,aes128-ctr,aes192-ctr,aes256-ctr,该邮件地址已受到反垃圾邮件插件保护。要显示它需要在浏览器中启用 JavaScript。,该邮件地址已受到反垃圾邮件插件保护。要显示它需要在浏览器中启用 JavaScript。
    
    KexAlgorithms curve25519-sha256,该邮件地址已受到反垃圾邮件插件保护。要显示它需要在浏览器中启用 JavaScript。,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
  2. Save the file and validate the syntax of the file using the command sshd -t -f /etc/cvpi/sshd_config. After running this command, it should throw any error.
  3. Reload the sshd service by issuing systemctl reload sshd and after that verify whether the sshd service came up by checking the output of systemctl status sshd. Now the weak key exchange algorithms will have gone away.