| Table of Contents |
|---|
How to configure
Navigate to bastion installation folder - by default c:\agat\Bastion.
...
The following is an example of a more complex and hardened cipher setting:
| Info | ||
|---|---|---|
| ||
<allowedCiphers>EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA512:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:ECDH+AESGCM:ECDH+AES256:DH+AESGCM:DH+AES256:!RSA+AESGCM:!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!IDEA:!ECDHE-RSA-AES256-SHA!DHE-RSA-AES128-SHA256!DHE-RSA-AES128-GCM-SHA256!DHE-RSA-AES256-SHA256!DHE-RSA-AES256-GCM-SHA384:!DHE-RSA-AES256-SHA!DHE-RSA-AES128-SHA!AES128-SHA!AES256-SHA:!CAMELLIA256-SHA!CAMELLIA128-SHA:!ECDHE-RSA-AES128-SHA:!SEED-SHA:!IDEA-CBC-SHA:</allowedCiphers> |
The plus ( + ) sign between cipher names refers to ciphers using the combination of all mentioned algorithms.
...
For example !ECDHE-RSA-AES128-SHA will disable the use of the specific cipher - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
List of Cipher Suite Names (IANA) and OpenSSL names can be seen here: https://testssl.sh/openssl-iana.mapping.html
Changing the cipher configuration should also be done according to the minimum allowed version tag <minAllowedVersion> which defines what version of TLS is allowed.
...