TLS server cipher regarding

[kandasamypreetha]

Hi,
I need to configure the TLS server to ensure it uses specific cipher suites for secure connections. Currently, the server is establishing connections with the default ciphers, but I require the server to prioritize the following cipher suites:

ECDHE_RSA_WITH_AES_128_GCM_SHA256
DHE_RSA_WITH_AES_128_GCM_SHA256

Could you please provide guidance on how to update the server's cipher selection to include these specific ciphers?

Thank you!

[michalvasko]

All the supported configuration parameters are found in the ietf-netconf-server YANG module. This particular parameter should be supported and found at /ietf-netconf-server:netconf-server/listen/endpoints/endpoint/transport/tls/tls/tls-server-parameters/hello-params/cipher-suites/cipher-suite.

The module is quite big, with all the imports, so you can use tree output format to make some sense of it (you can use yanglint from libyang to print it).

[kandasamypreetha]

As i am beginner can you please share the example xml for the above to add cipher-suite

[michalvasko]

Fine, this config adds only the cipher suite configuration (you need the rest of a TLS endpoint configuration for it to be valid and work, more about an example in the README) so it needs to be merged, not imported or replace the previous configuration (you can use sysrepocfg -E <file> to merge a configuration file). Also, this config restricts the allowed cipher-suites only to the 2 you mentioned, if you want to support other ones, you need to add them after those 2 (the higher the cipher-suite, the higher its priority).

<netconf-server xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-server">
    <listen>
        <endpoints>
            <endpoint>
                <name>default-tls</name>
                <tls>
                    <tls-server-parameters>
                        <hello-params>
                            <cipher-suites xmlns:tlscsa="urn:ietf:params:xml:ns:yang:iana-tls-cipher-suite-algs">
                                <cipher-suite>tlscsa:tls-dhe-rsa-with-aes-128-gcm-sha256</cipher-suite>
                                <cipher-suite>tlscsa:tls-ecdhe-rsa-with-aes-128-gcm-sha256</cipher-suite>
                            </cipher-suites>
                        </hello-params>
                    </tls-server-parameters>
                </tls>
            </endpoint>
        </endpoints>
    </listen>
</netconf-server>

[kandasamypreetha]

Hi michal,
Thank you for your guidance on configuring the cipher suites for the TLS endpoint. I have followed your instructions and encountered some challenges. Here's a detailed account of the steps I took and the issues I'm facing.
1.I have installed the iana-tls-cipher-suite-algs YANG module.
2.I enabled the necessary features in the ietf-tls-common module:
tls-1_2,tls-dhe,tls-gcm,tls-sha2
3.Issues Encountered:
---> Despite enabling the required features in ietf-tls-common, I faced the following errors:
root@4423--SW--POY:/home/vvdn/ranjith/NEC_CA/tls_files# sysrepocfg --edit=vi -d running
libyang error: Invalid identityref "tlscsa:tls_dhe_rsa_with_aes_128_gcm_sha256" value - identity not found in module "iana-tls-cipher-suite-algs". (Data location "/ietf-netconf-server:netconf-server/listen/endpoint[name='default-tls']/tls/tls-server-parameters/hello-params/cipher-suites/cipher-suite", line number 74.)
sysrepocfg error: Data parsing failed
---->I tried different variations of the cipher suite identity references (e.g., without the prefix tlscsa: and using uppercase), but none resolved the issue:
root@4423--SW--POY:/home/vvdn/ranjith/NEC_CA/tls_files# sysrepocfg --edit=vi -d running
libyang error: Invalid identityref "tls_dhe_rsa_with_aes_128_gcm_sha256" value - identity not found in module "ietf-netconf-server". (Data location "/ietf-netconf-server:netconf-server/listen/endpoint[name='default-tls']/tls/tls-server-parameters/hello-params/cipher-suites/cipher-suite", line number 74.)
sysrepocfg error: Data parsing failed
root@4423--SW--POY:/home/vvdn/ranjith/NEC_CA/tls_files# sysrepocfg --edit=vi -d running
libyang error: Invalid identityref "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256" value - identity not found in module "ietf-netconf-server". (Data location "/ietf-netconf-server:netconf-server/listen/endpoint[name='default-tls']/tls/tls-server-parameters/hello-params/cipher-suites/cipher-suite", line number 68.)
sysrepocfg error: Data parsing failed
4.Could you please provide further guidance on how to correctly reference the cipher suites in the configuration?Is there an additional step or a specific way to enable the cipher suites in the iana-tls-cipher-suite-algs module that I might be missing?

[michalvasko]

I have provided the data for the latest release netopeer2 v2.2.28, with all its dependencies. Based on what you wrote I am certain you are using some older version. Update it and it will work.

[kandasamypreetha]

Thank you for your prompt response and for providing the data for the latest release, Netopeer2 v2.2.28. However, due to some dependencies, I need to stick with version 2.1.71.

I am currently using the YANG file iana-tls-cipher-suite-algs@2024-03-16 for Netopeer2 version 2.1.71. Could you please suggest the correct version of the iana-tls-cipher-suite-algs YANG file that would be compatible with Netopeer2 v2.1.71?

[michalvasko]

No, you cannot be using iana-tls-cipher-suite-algs@2024-03-16 with netopeer2 v2.1.71. This version installs [email protected] and these revisions did not yet require iana-tls-cipher-suite-algs. Manually installing the module will not affect the functionality in any way. So, you either update to the latest release or will not be able to customize the supported cipher-suites, no other option.