This information is current as at Lighthouse software version 5.2.0. Commands are provided to print current details from the Lighthouse Administrator CLI.
Cryptographic applications & libraries
For the purposes of this article, we’re considering programs that provide network services that securely authenticate and encrypt connections to Lighthouse and its nodes.
Libraries
|
OpenSSL |
1.1.1b |
openssl version |
Applications using OpenSSL
|
OpenSSH |
7.9p1 |
ssh -V |
|
OpenVPN |
2.4.7 |
openvpn --version |
|
nginx Web Server |
1.15.7 |
nginx -v |
nginx Web Server
Lighthouse's nginx web server implements The Mozilla Foundation’s recommended ciphersuite for intermediate compatibility.
This disables weak encryption elements including null ciphers, SSLv3 and RC4, while maintaining moderate backwards compatibility:
https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29
The default, self-signed SSL certificate length is 2048 bits:
sudo openssl x509 -in /etc/config/cert/default.cert.pem -text -noout | grep "Public-Key"
To view the web server protocol and cipher strings, run:
sudo grep -E "ssl_protocols|ssl_ciphers" /etc/nginx/ssl-params.conf
Although not generally recommended, advanced users may override the SSL ciphers and protocols by editing ssl-params.conf then running:
sudo configurator_https -l
OpenSSH Server
The SSH server supports SSHv2 only.
For a full list of enabled ciphers, key exchanges algorithms and hashes, run:
sudo sshd -T | grep "\(ciphers\|macs\|kexalgorithms\)"
These are summarized in the following table:
|
Protocol |
SSHv2 |
|
Key Exchange |
curve25519-sha256@libssh.org ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 diffie-hellman-group-exchange-sha256 diffie-hellman-group14-sha1 diffie-hellman-group16-sha512 diffie-hellman-group18-sha512 diffie-hellman-group14-sha256 |
|
Authentication |
RSA,ECDSA, ED25519 Public Key Password |
|
Encryption |
chacha20-poly1305@openssh.com aes128-ctr aes192-ctr aes256-ctr aes128-gcm@openssh.com aes256-gcm@openssh.com |
|
Hash |
umac-64-etm@openssh.com umac-128-etm@openssh.com hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com hmac-sha1-etm@openssh.com umac-64@openssh.com umac-128@openssh.com hmac-sha2-256 hmac-sha2-512 hmac-sha1 |
Note that modern versions of OpenSSH have deprecated support for DSA authentication.
The automatically generated RSA host key is 4096 bits. The automatically generated ECDSA and ED25519 host keys are 256 bits. These are generated on first boot after a factory reset.
for pubkey in /etc/ssh/ssh_host_*.pub; do ssh-keygen -lf $pubkey; done
OpenVPN
OpenVPN tunnels from nodes (Lighthouse VPN) are configured to use the strongest available cipher and hash with a 2048 bit x.509 certificate for authentication. The minimum in use is AES-256-CBC encryption and SHA256 hashing
grep -E "^cipher|^auth" /etc/config/lhvpn/server.conf
OpenSSL
Although many of these may be disabled by the individual applications above, the underlying OpenSSL supports a variety of protocol versions, ciphers and hashes. For a full list of algorithms, run:
openssl ciphers -v
Or for more concise output:
for col in 2 3 4 5; do sudo openssl ciphers -v | awk '{print $'$col'}' | sort | uniq; done
These are summarized in the following table:
|
Protocol |
SSLv3 TLSv1 TLSv1.2 TLSv1.3 |
|
Key Exchange |
DH DHEPSK ECDH ECDHEPSK PSK RSA RSAPSK SRP |
|
Authentication |
ECDSA PSK RSA SRP |
|
Encryption |
AES(128) AES(256) AESGCM(128) AESGCM(256) CHACHA20/POLY1305(256) |
|
Hash |
AEAD MD5 SHA1 SHA256 SHA384 |
Comments
0 comments
Article is closed for comments.