Tls self_signed and setting ciphers


I’m testing caddy locally, having trouble using the ciphers list in the tls settings block of the Caddyfile.

Using tls self_signed on its own (without any ciphers line) works fine, and in Chrome I can see webpages are being served with ECDHE_ECDSA_AES256_GCM cipher suite.

But when I try to force a cipher using the Caddyfile (even if I try to force that default cipher), the server refuses connections on that port. I don’t see anything written to the access log either. The Caddyfile I’m using is below, am I using the ciphers line correctly? Or is this something doesn’t work with self_signed?

localhost:443, {$ip}:443, localhost:2016, {$ip}:2016 {
	tls self_signed {
		ciphers ECDHE-ECDSA-AES256-GCM-SHA384
	log access.log
	root /home/me/www/ 

localhost:2015, {$ip}:2015 {
	root /home/me/www/

One other question, using the script I only see 4 cipher suites supported by my caddy server, it seems none of the ciphers with RSA key exchange are included? I wonder is this a restriction of the self_signed setting?

 Testing 359 via OpenSSL and sockets against the server, ordered by encryption strength 

Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.  Encryption Bits     Cipher Suite Name (RFC)
 xc02c   ECDHE-ECDSA-AES256-GCM-SHA384     ECDH 256   AESGCM    256      TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384            
 xc00a   ECDHE-ECDSA-AES256-SHA            ECDH 256   AES       256      TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA               
 xc02b   ECDHE-ECDSA-AES128-GCM-SHA256     ECDH 256   AESGCM    128      TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256            
 xc009   ECDHE-ECDSA-AES128-SHA            ECDH 256   AES       128      TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

(EDIT: I tested this again using an RSA key and cert I created using openssl instead of the self_signed setting, and indeed I then see the server supporting six cipher suites with RSA key exchange. So that question is answered :smiley: )

I still have a problem using the ciphers list with self_signed.

Running Caddy 0.9.3 locally on my Macbook, with the following Caddyfile:

:2015 {
    tls self_signed {
        ciphers ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256
    log stdout
    errors stdout

Seems to work fine for me. I can load https://localhost:2015 on Chrome, type “badidea”, and viola - directory listing. -e localhost:2015 does not give me any ciphers I haven’t specified.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.