Specify TLSv1.2 cipher in JSON?

1. The problem I’m having:

Need the TLS app to use a specific cipher for generating keys. ECDHE-RSA-AES256-GCM-SHA384 instead of what it did by default which was ECDHE-ECDSA-AES256-GCM-SHA384. Using Caddy to manage certificates for a MQTT server, and the client can only handle specific ciphers (Tasmota).

Not sure if this is something I need to worry about, but according to multiple users on Tasmota forums, it matters.

2. Error messages and/or full log output:

General question at this point, not an error.

PASTE OVER THIS, BETWEEN THE ``` LINES.
Please use the preview pane to ensure it looks nice.

3. Caddy version:

v2.6.4 h1:2hwYqiRwk1tf3VruhMpLcYTg+11fCdr8S3jhNAdnPy8=

4. How I installed and ran Caddy:

installed Caddy on Ubuntu 22.04 according to official guide

a. System environment:

Ubuntu 22.04

b. Command:

PASTE OVER THIS, BETWEEN THE ``` LINES.
Please use the preview pane to ensure it looks nice.

c. Service/unit/compose file:

PASTE OVER THIS, BETWEEN THE ``` LINES.
Please use the preview pane to ensure it looks nice.

d. My complete Caddy config:

{
    "apps": {
        "http": {
            "servers": {
                "srv0": {
                    "listen": [
                        ":443"
                    ],
                    "routes": [
                        {
                            "handle": [
                                {
                                    "handler": "subroute",
                                    "routes": [
                                        {
                                            "handle": [
                                                {
                                                    "handler": "reverse_proxy",
                                                    "upstreams": [
                                                        {
                                                           "dial": "127.0.0.1:38096"
                                                        }
                                                    ]
                                                }
                                            ]
                                        }
                                    ]
                                }
                            ],
                            "match": [
                                {
                                    "host": [
                                        "subdomain.example.com"
                                    ]
                                }
                            ],
                            "terminal": true
                        },
                        {
                            "handle": [
                                {
                                    "handler": "subroute",
                                    "routes": [
                                        {
                                            "handle": [
                                                {
                                                    "handler": "vars",
                                                    "root": "/usr/share/caddy"
                                                },
                                                {
                                                    "handler": "file_server",
                                                    "hide": [
                                                        "/etc/caddy/caddy.json"
                                                    ]
                                                }
                                            ]
                                        }
                                    ]
                                }
                            ],
                            "match": [
                                {
                                    "host": [
                                        "example.com"
                                    ]
                                }
                            ],
                            "terminal": true
                        }
                    ]
                }
            }
        },
        "tls": {
                        "certificates": {
                                "automate": [
                                        "mqtt.example.com"
                                ]
                        },
                        "automation": {
                                "policies": [
                                        {
                                                "issuers": [{
                                                        "module": "acme",
                                                        "email": "emailaddy@gmail.com"
                                                }]
                                        }
                                ]
                        }
                }
    }
}

5. Links to relevant resources:

You’ll create a TLS connection policy:

So in your server, adjacent to “routes”, create a new tls_connection_policies key as an array with an object that sets the cipher_suites property, with an array having a value of “ECDHE_RSA_AES256_GCM_SHA384”

So that array would be in apps->http->servers->tls_connection_policies->cipher_suites.

That would affect the ciphers used in apps->tls?

And would that restrict the ciphers used in all other TLS connections?

Again, just getting started with Caddy, so my big-picture knowledge isn’t great yet.

edit tried it and got a error on restart: “building standard TLS config: unsupported cipher suite: ECDHE_RSA_AES256_GCM_SHA384”

Sorry, that’s what I get for replying on mobile.

Proper name is: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

From tls (Caddyfile directive) — Caddy Documentation (we use the IANA identifiers)

Cipher suites are determined per-handshake, so you configure this where handshakes are established; that is the connection policies. It only affects the TLS connections that use that connection policy.

That fixed it! Thanks.

I said “That fixed it” since Caddy service restarted without error. However, when I check the ciphers used after changing my caddy.json with nmap --script ssl-enum-ciphers -p 8883 mqtt.example.com it still shows

PORT     STATE SERVICE
8883/tcp open  secure-mqtt
| ssl-enum-ciphers: 
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|     compressors: 
|       NULL
|     cipher preference: server
|_  least strength: A

Do I need to somehow force the certificates to get regenerated?

edit I manually deleted the certificates, and they regenerated after a few minutes, but cipher check still shows the same. Maybe I need to specify “rsa2048” in appstlsautomationpolicieskey_type?

Answered my own question. Yes. Specifying “rsa2048” gives me the cipher I need for Tasmota to connect to my Mosquitto broker successfully.

1 Like

Yeah; Caddy can’t use a cipher suite that’s incompatible with the certificate’s cryptography. Glad you figured it out!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.