Specifying allowed ciphers for Duplicati web server? (CVE-2016-2183)

yu210148 · February 13, 2021, 4:32pm

Hi All,

Is there a way to specify which ciphers are allowed on the Duplicati web server?

I’ve set it up on a Debian host on my network, ticked off the box to ‘Allow remote access’, then enabled https with a self-signed cert by creating one and putting the following in /usr/lib/systemd/duplicati.service:

ExecStart=/usr/bin/duplicati-server --webservice-sslcertificatefile=/etc/ssl/certs/duplicati.p12 $DAEMON_OPTS

When I scanned the host with a vulnerability scanner it’s telling me that the thing is allowing the vulnerable SWEET32 cipher. I see the spot in the advanced options drop-down to allow only TLS 1.2 or 1.1 but I don’t see a spot to specify the ciphers.

I’m not allowing access from outside my LAN so it’s not a huge deal but I’m curious if there’s a way to do it.

Thanks in advance.

kev.

ts678 · February 18, 2021, 12:24am

Welcome to the forum @yu210148

On Linux, Duplicati uses SSL/TLS encryption from mono, and it seems to have no good way to do that.

BTLS 3X slower than legacy TLS #10744

I’m not so sure it affects the server, but one can control what encryption Duplicati uses to its destination.

yu210148 · February 18, 2021, 1:28am

Thanks @ts678,

What do you mean about the destination? This seems to be an issue with the web interface when allowed on the network rather than an issue with putting the backup files in their defined destination. Admittedly, the web UI isn’t secured for remote access from what I’ve read as that’s not the intended use.

When I googled this issue I didn’t come up with any useful results to I thought I’d at least ask the question.

But, I could be missing something.

I thought there might have been some parameter to pass to /usr/bin/duplicati-server in it’s systemd unit file that I wasn’t aware of but it seems more involved than that.

kev.

ts678 · February 18, 2021, 1:29am

refers to job configuration screen 2, Destination. Some destinations use SSL/TLS configurable by allowed-ssl-versions. You sounded like you thought that affected what Duplicati serves to a browser.

Basically, my belief is that the Duplicati web server is not configurable this way. but I could be wrong.

yu210148 · February 18, 2021, 1:37am

Gotcha, no, sorry if I was unclear, the configured destination for the backups isn’t what the vulnerability scanner is getting at here. It’s the encryption used between the browser and the UI when exposed to other hosts by ticking off the box next to ‘Allow remote access (requires restart)’ under ‘Settings’. Then, configuring it to use https rather than http as described in this post:

Duplicati webserver https with selfsigned certificate

ts678 · February 18, 2021, 1:38am

It was clear, but I don’t think it’s configurable.

yu210148 · February 18, 2021, 1:39am

Cool, thanks for having a look