configured sslciphers not respected. #2854

New issue

Open

opened 2026-02-20 22:13:45 -05:00 by deekerman · 9 comments

deekerman commented 2026-02-20 22:13:45 -05:00

Owner

Copy link

Originally created by @eebssk1 on GitHub (Jun 12, 2024).

The issue

I configed sslCiphers=DHE-RSA-CHACHA20-POLY1305 in server ini to disable AES.
However when starting server the following indicating it's not respected and clients still connecting with AES encryption.

2024-06-12 13:01:34.054 MetaParams: TLS cipher preference is "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:DHE-RSA-CHACHA20-POLY1305"

Mumble version

1.5.634

Mumble component

Server

OS

Linux

Additional information

No response

Originally created by @eebssk1 on GitHub (Jun 12, 2024). ### The issue I configed sslCiphers=DHE-RSA-CHACHA20-POLY1305 in server ini to disable AES. However when starting server the following indicating it's not respected and clients still connecting with AES encryption. <W>2024-06-12 13:01:34.054 MetaParams: TLS cipher preference is "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:DHE-RSA-CHACHA20-POLY1305" ### Mumble version 1.5.634 ### Mumble component Server ### OS Linux ### Additional information _No response_

deekerman added the

bug

server

good first issue

labels 2026-02-20 22:13:45 -05:00

deekerman commented 2026-02-20 22:13:46 -05:00

Author

Owner

Copy link

@eebssk1 commented on GitHub (Jun 13, 2024):

I had to clear tls1.3 and unintended ciphers in openssl.cnf to make it work.

@eebssk1 commented on GitHub (Jun 13, 2024): I had to clear tls1.3 and unintended ciphers in openssl.cnf to make it work.

deekerman commented 2026-02-20 22:13:48 -05:00

Author

Owner

Copy link

@Krzmbrzl commented on GitHub (Jun 13, 2024):

openssl.cnf as in the OpenSSL config file? The intended way is that this is not required 🤔

Does the Mumble config setting (without changed OpenSSL config) come into effect when you create a fresh server (that doesn't reuse the old's database)?

@Krzmbrzl commented on GitHub (Jun 13, 2024): `openssl.cnf` as in the OpenSSL config file? The intended way is that this is not required :thinking: Does the Mumble config setting (without changed OpenSSL config) come into effect when you create a fresh server (that doesn't reuse the old's database)?

deekerman commented 2026-02-20 22:13:48 -05:00

Author

Owner

Copy link

@eebssk1 commented on GitHub (Jun 13, 2024):

openssl.cnf as in the OpenSSL config file? The intended way is that this is not required 🤔

Does the Mumble config setting (without changed OpenSSL config) come into effect when you create a fresh server (that doesn't reuse the old's database)?

So I digged a little.

It looks like official client does not support chacha20 in (EC)DHE mode. And it seems the sslciphers config options does not accept ciphersuit name.
Which means the only way for me is to remove the AES one from openssl.cnf ciphersuit so chacha20 one is the prefered.
Maybe it's better to seprate the config options for TLS1.3 and TLS1.2_and_older, as indicated by openssl that they are unrelated.

@eebssk1 commented on GitHub (Jun 13, 2024): > `openssl.cnf` as in the OpenSSL config file? The intended way is that this is not required 🤔 > > Does the Mumble config setting (without changed OpenSSL config) come into effect when you create a fresh server (that doesn't reuse the old's database)? So I digged a little. It looks like official client does not support chacha20 in (EC)DHE mode. And it seems the sslciphers config options does not accept ciphersuit name. Which means the only way for me is to remove the AES one from openssl.cnf ciphersuit so chacha20 one is the prefered. Maybe it's better to seprate the config options for TLS1.3 and TLS1.2_and_older, as indicated by openssl that they are unrelated.

deekerman commented 2026-02-20 22:13:48 -05:00

Author

Owner

Copy link

@eebssk1 commented on GitHub (Jun 18, 2024):

So for clafirication. I'm still using TLS 1.3 but with only chacha20 one. I removed AES ciphersuit from openssl.cnf since mumble config does not regconise ciphersuit name which means i can not set the preference there.

@eebssk1 commented on GitHub (Jun 18, 2024): So for clafirication. I'm still using TLS 1.3 but with only chacha20 one. I removed AES ciphersuit from openssl.cnf since mumble config does not regconise ciphersuit name which means i can not set the preference there.

deekerman commented 2026-02-20 22:13:48 -05:00

Author

Owner

Copy link

@Krzmbrzl commented on GitHub (Jul 6, 2024):

When using the sslciphers config option, you should get a message like MetaParams: TLS cipher preference is ... when starting up the server. Does this message agree with what you have configured in the INI file?

'cause what is printed there should also be used for the actual connections if I read the code correctly 🤔

@Krzmbrzl commented on GitHub (Jul 6, 2024): When using the `sslciphers` config option, you should get a message like `MetaParams: TLS cipher preference is ...` when starting up the server. Does this message agree with what you have configured in the INI file? 'cause what is printed there should also be used for the actual connections if I read the code correctly :thinking:

deekerman commented 2026-02-20 22:13:48 -05:00

Author

Owner

Copy link

@eebssk1 commented on GitHub (Jul 6, 2024):

When using the sslciphers config option, you should get a message like MetaParams: TLS cipher preference is ... when starting up the server. Does this message agree with what you have configured in the INI file?

'cause what is printed there should also be used for the actual connections if I read the code correctly 🤔

Server won't startup. The TLS1.3 cipher string is not recognized by the option.

@eebssk1 commented on GitHub (Jul 6, 2024): > When using the `sslciphers` config option, you should get a message like `MetaParams: TLS cipher preference is ...` when starting up the server. Does this message agree with what you have configured in the INI file? > > 'cause what is printed there should also be used for the actual connections if I read the code correctly 🤔 Server won't startup. The TLS1.3 cipher string is not recognized by the option.

deekerman commented 2026-02-20 22:13:48 -05:00

Author

Owner

Copy link

@eebssk1 commented on GitHub (Jul 6, 2024):

When using the sslciphers config option, you should get a message like MetaParams: TLS cipher preference is ... when starting up the server. Does this message agree with what you have configured in the INI file?
'cause what is printed there should also be used for the actual connections if I read the code correctly 🤔

Server won't startup. The TLS1.3 cipher string is not recognized by the option.

It's very weired that MetaParams automatically prepend tls1.3 ciphers,but the options does not recognize it when manually entered.

@eebssk1 commented on GitHub (Jul 6, 2024): > > When using the `sslciphers` config option, you should get a message like `MetaParams: TLS cipher preference is ...` when starting up the server. Does this message agree with what you have configured in the INI file? > > 'cause what is printed there should also be used for the actual connections if I read the code correctly 🤔 > > Server won't startup. The TLS1.3 cipher string is not recognized by the option. It's very weired that MetaParams automatically prepend tls1.3 ciphers,but the options does not recognize it when manually entered.

deekerman commented 2026-02-20 22:13:48 -05:00

Author

Owner

Copy link

@Krzmbrzl commented on GitHub (Jul 6, 2024):

The appending of additional ciphers is actually done by OpenSSL, it seems. The cipher list entering
github.com/mumble-voip/mumble@9f0b143d0f/src/SSL.cpp (L49-L108)
is the one from the INI file but the one leaving this function contains the extra ciphers.

@Krzmbrzl commented on GitHub (Jul 6, 2024): The appending of additional ciphers is actually done by OpenSSL, it seems. The cipher list entering https://github.com/mumble-voip/mumble/blob/9f0b143d0f114c6ff4cd417fdeb5c8f6ccd6562d/src/SSL.cpp#L49-L108 is the one from the INI file but the one leaving this function contains the extra ciphers.

deekerman commented 2026-02-20 22:13:48 -05:00

Author

Owner

Copy link

@eebssk1 commented on GitHub (Oct 10, 2024):

According to https://manpages.debian.org/testing/libssl-doc/OPENSSL_config.3ssl.en.html
Maybe we could set OPENSSL_CONF to load the modded conf instead of loading/modifying the global one.
Since the function will always called by qt dependencies(it seems), this way might work.

@eebssk1 commented on GitHub (Oct 10, 2024): According to https://manpages.debian.org/testing/libssl-doc/OPENSSL_config.3ssl.en.html Maybe we could set [OPENSSL_CONF](https://manpages.debian.org/testing/libssl-doc/OPENSSL_config.3ssl.en.html#OPENSSL_CONF) to load the modded conf instead of loading/modifying the global one. Since the function will always called by qt dependencies(it seems), this way might work.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

weblate-translation-update

1.6.x

1.5.x

backport/1.5.x/pr-7080

backport/1.5.x/pr-6875

backport/1.5.x/pr-6879

backport/1.5.x/pr-6859

test-ci-win-fail

backport/1.5.x/pr-6789

backport/1.5.x/pr-6841

backport/1.5.x/pr-6832

backport/1.5.x/pr-6825

backport/1.5.x/pr-6809

backport/1.5.x/pr-6790

backport/1.5.x/pr-6777

backport/1.5.x/pr-6747

backport/1.5.x/pr-6775

backport/1.5.x/pr-6748

backport/1.5.x/pr-6769

backport/1.5.x/pr-6750

backport/1.5.x/pr-6744

backport/1.5.x/pr-6742

backport/1.5.x/pr-6728

backport/1.5.x/pr-6723

backport/1.5.x/pr-6700

backport/1.5.x/pr-6702

backport/1.5.x/pr-6703

backport/1.5.x/pr-6694

appveyor-fxc-dll-symbol-workaround

1.4.x

v1.6.870

v1.5.857

v1.5.735

v1.5.634

v1.5.629

v1.5.613

v1.5.517

v1.4.287

v1.4.274

v1.4.230

1.4.0-release-candidate-01

1.4.0-development-snapshot-006

1.4.0-development-snapshot-005

1.4.0-development-snapshot-004

1.4.0-development-snapshot-003

1.4.0-development-snapshot-002

1.3.4

1.4.0-development-snapshot-001

1.3.3

1.3.2

1.3.1

1.3.1-rc1

1.3.0

1.3.0-rc2

1.3.0-rc1

1.2.20

1.2.19

1.2.18

1.2.17

1.2.16

1.2.15

1.2.14

1.2.13

1.2.12

1.2.11

1.2.10

1.2.9

1.2.8

1.2.7

1.2.6

1.2.5

1.2.4

1.2.4-rc1

1.2.4-beta1

1.2.3

1.2.3-rc3

1.2.3-rc2

1.2.3-rc1

1.2.2

1.2.1

1.2.0

1.2.0beta2

1.2.0beta1

1.1.8

Labels

Clear labels   

GlobalShortcuts

  

Hacktoberfest

  

accessibility

  

acl

  

asio

  

audio

  

bonjour

  

bsd

  

bug

  

build

  

certificate

  

ci

  

client

  

code

  

documentation

  

external-bug

  

feature-request

  

gRPC

  

github

  

good first issue

  

help wanted

  

help-needed

  

ice

  

installer

  

linux

  

macOS

  

needs-ckeck-with-latest-version

  

needs-more-input

  

overlay

  

positional audio

  

priority/P0 - Blocker

  

priority/P1 - Critical

  

priority/P2 - Important

  

priority/P3 - Somewhat important

  

priority/P4 - Low

  

public-server-registration

  

qt

  

recording

  

release-management

  

server

  

stale-no-response

  

stale-support

  

support

  

task

  

test

  

theme

  

translation

  

triage

  

ui

  

windows

  

wontfix

  

x64

No labels

GlobalShortcuts

Hacktoberfest

accessibility

acl

asio

audio

bonjour

bsd

bug

build

certificate

ci

client

code

documentation

external-bug

feature-request

gRPC

github

good first issue

help wanted

help-needed

ice

installer

linux

macOS

needs-ckeck-with-latest-version

needs-more-input

overlay

positional audio

priority/P0 - Blocker

priority/P1 - Critical

priority/P2 - Important

priority/P3 - Somewhat important

priority/P4 - Low

public-server-registration

qt

recording

release-management

server

stale-no-response

stale-support

support

task

test

theme

translation

triage

ui

windows

wontfix

x64

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/mumble-mumble-voip#2854

No description provided.