Skip to content

Instantly share code, notes, and snippets.

@dschep

dschep/gist:4719355

Last active May 10, 2019 21:43
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save dschep/4719355 to your computer and use it in GitHub Desktop.
Save dschep/4719355 to your computer and use it in GitHub Desktop.
Download ZIP
Hardening Synology DSM SSL
Raw
gistfile1.md

Synology DSM 4.1 is vulnerable to BEAST and the Lucky Thirteen attacks out of the box. Switching to RC4 ciphers makes these attacks, and any other future CBC-targeting attacks, not work.

To fix this these 2 files need to be updated:

/usr/syno/apache/conf/extra/httpd-alt-port-ssl-setting.conf
/usr/syno/apache/conf/extra/httpd-ssl.conf-common

Update them such that the line starting with SSLCipherSuite is replaced with these two lines:

SSLHonorCipherOrder On
SSLCipherSuite RC4-SHA:HIGH:!ADH:!SSLv2

Restart Apache:

/usr/syno/etc/rc.d/S97apache-sys.sh restart
/usr/syno/etc/rc.d/S97apache-user.sh restart

Double check that no other Apache configs contain SSLCipherSuite options:

grep SSLCipher /usr/syno/apache/conf/extra/*

Sources

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment