WIKIABOUT

FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

Most popular tags

rut955 rut240 rut950 rutx11 rms vpn to openvpn wifi not sms trb140 firmware connection - ipsec on rutx12 rutx09 modbus
We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.

RUT240 - Where to adjust ciphers for web UI?

0 votes
214 views 0 comments
by anonymous

I’m running RUT2_R_00.07.01.4 firmware. I can access the CLI and have familiarity with Unix/Linux-based systems. I’m struggling to pinpoint where the OS/webui gets its cipher settings from. It doesn’t appear to be basic OpenSSL. I’ve looked at the configs for uhttpd and EasyRSA but neither appear to be the ones supplying the cipher config. I probably just haven’t looked in the right place.

We measure the security grade via Qualys’ SSL test. While the latest firmware gets an A grade and does really well, it is using some ciphers now considered weak and I’d like to turn them off.

Does anyone know where I need to go to do this? Where are they configuring the ciphers?

Can I also check that it’s right that you have to replace the uhttpd cert and key with the CLI as the only way to install your own certificate? It’s rather disappointing that the latest firmware has this great certificate manager but the only place it doesn’t appear to be able to play a role is the WebUI. Why? It wasn’t that hard for me to replace the uhttpd cert and key but it’s unfriendly to those who aren’t comfortable with CLI’s.

Thanks in advance.

1 Answer

0 votes
by anonymous

Hello,

Certificates are generated using a combination of configuration file & init.d script, as well as OpenSSL as the key generation tool (found at /usr/sbin/openssl). The default configuration file at /etc/config/uhttpd (the config cert defaults section options) as well as init.d script (for options, which are not defined in a configuration file) at /etc/init.d/uhttpd dictates what encryption/hashing algorithms will be used when certificates do not exist on the device yet. However, if certificates already exist on the device, the script will not attempt to generate new certificates.

If you'd like to generate your own certificates with new settings, you'll have to remove currently existing certificate via CLI (at /etc/uhttpd.crt and /etc/uhttpd.key) then edit the /etc/config/uhttpd configuration defaults to your desired options. Once done, make sure to reboot the uhttpd service with /etc/init.d/uhttpd restart command and new certificates should be generated.

Alternatively, you may choose to upgrade to the latest firmware version 7.02 (either using FOTA, RMS or manually, by downloading latest firmware from our wiki page for your device HERE and uploading it manually in order to upgrade your device) and then upload your own certificate & key to the router, via WebUI, at System > Administration > Access control by disabling the "Certificate files from device" option and uploading the required certificates.

Best regards,

Tomas.