KX Community

KPC · ‎2023.02.03

Hello Team

I wanted to remove weak ciphers configured using SSL_CIPHER_LIST to avoid vulnerabilities. I tried exporting the parameter using (SSL_CIPHER_LIST) getting same set of ciphers configured earlier post restart.

Can someone please help me?

Thanks in advance.

rocuinneagain · ‎2023.02.03

I see 31 by default on my machine but exporting the variable I see I can control it down to 3

https://code.kx.com/q/kb/ssl/#tls-cipher-list

$ q
KDB+ 4.0 2021.07.12 Copyright (C) 1993-2021 Kx Systems
q)count ":" vs string (-26!)[]`SSL_CIPHER_LIST
31
$ export SSL_CIPHER_LIST="TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
$ q
KDB+ 4.0 2021.07.12 Copyright (C) 1993-2021 Kx Systems
q)count ":" vs string (-26!)[]`SSL_CIPHER_LIST
3

Can you replicate this on your system?

KPC · ‎2023.02.19

After updating Ciphers list with the one I have, I am getting error
SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl_lib.c:1383:
'2023.02.19T20:28:44.616 failed to load TLS certificates

Could you please help me.

rocuinneagain · ‎2023.03.14

Are all the ciphers you added available on the machine?

Are they all contained in:

/usr/bin/openssl ciphers -v

KX Community

SSL_CIPHER_LIST RESET ciphers configured.