Hi,
I’m testing caddy locally, having trouble using the ciphers list in the tls settings block of the Caddyfile.
Using tls self_signed on its own (without any ciphers line) works fine, and in Chrome I can see webpages are being served with ECDHE_ECDSA_AES256_GCM cipher suite.
But when I try to force a cipher using the Caddyfile (even if I try to force that default cipher), the server refuses connections on that port. I don’t see anything written to the access log either. The Caddyfile I’m using is below, am I using the ciphers line correctly? Or is this something doesn’t work with self_signed?
localhost:443, {$ip}:443, localhost:2016, {$ip}:2016 {
tls self_signed {
ciphers ECDHE-ECDSA-AES256-GCM-SHA384
}
log access.log
root /home/me/www/
}
localhost:2015, {$ip}:2015 {
root /home/me/www/
}
One other question, using the testssl.sh script I only see 4 cipher suites supported by my caddy server, it seems none of the ciphers with RSA key exchange are included? I wonder is this a restriction of the self_signed setting?
Testing 359 via OpenSSL and sockets against the server, ordered by encryption strength
Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (RFC)
---------------------------------------------------------------------------------------------------------------------------
xc02c ECDHE-ECDSA-AES256-GCM-SHA384 ECDH 256 AESGCM 256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
xc00a ECDHE-ECDSA-AES256-SHA ECDH 256 AES 256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
xc02b ECDHE-ECDSA-AES128-GCM-SHA256 ECDH 256 AESGCM 128 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
xc009 ECDHE-ECDSA-AES128-SHA ECDH 256 AES 128 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
(EDIT: I tested this again using an RSA key and cert I created using openssl instead of the self_signed setting, and indeed I then see the server supporting six cipher suites with RSA key exchange. So that question is answered )
I still have a problem using the ciphers list with self_signed.