Specifying allowed ciphers for Duplicati web server? (CVE-2016-2183)

Hi All,

Is there a way to specify which ciphers are allowed on the Duplicati web server?

I’ve set it up on a Debian host on my network, ticked off the box to ‘Allow remote access’, then enabled https with a self-signed cert by creating one and putting the following in /usr/lib/systemd/duplicati.service:

ExecStart=/usr/bin/duplicati-server --webservice-sslcertificatefile=/etc/ssl/certs/duplicati.p12 $DAEMON_OPTS

When I scanned the host with a vulnerability scanner it’s telling me that the thing is allowing the vulnerable SWEET32 cipher. I see the spot in the advanced options drop-down to allow only TLS 1.2 or 1.1 but I don’t see a spot to specify the ciphers.

I’m not allowing access from outside my LAN so it’s not a huge deal but I’m curious if there’s a way to do it.

Thanks in advance.

kev.

Welcome to the forum @yu210148

On Linux, Duplicati uses SSL/TLS encryption from mono, and it seems to have no good way to do that.

BTLS 3X slower than legacy TLS #10744

I’m not so sure it affects the server, but one can control what encryption Duplicati uses to its destination.

Thanks @ts678,

What do you mean about the destination? This seems to be an issue with the web interface when allowed on the network rather than an issue with putting the backup files in their defined destination. Admittedly, the web UI isn’t secured for remote access from what I’ve read as that’s not the intended use.

When I googled this issue I didn’t come up with any useful results to I thought I’d at least ask the question. :slight_smile:

But, I could be missing something.

I thought there might have been some parameter to pass to /usr/bin/duplicati-server in it’s systemd unit file that I wasn’t aware of but it seems more involved than that.

kev.

refers to job configuration screen 2, Destination. Some destinations use SSL/TLS configurable by allowed-ssl-versions. You sounded like you thought that affected what Duplicati serves to a browser.

Basically, my belief is that the Duplicati web server is not configurable this way. but I could be wrong.

Gotcha, no, sorry if I was unclear, the configured destination for the backups isn’t what the vulnerability scanner is getting at here. It’s the encryption used between the browser and the UI when exposed to other hosts by ticking off the box next to ‘Allow remote access (requires restart)’ under ‘Settings’. Then, configuring it to use https rather than http as described in this post:

Duplicati webserver https with selfsigned certificate

It was clear, but I don’t think it’s configurable.

Cool, thanks for having a look :slight_smile: