I configured my PRTG webserver to use a secure connection. Which encryption methods does the PRTG webserver accept? Which ciphers are supported? Can I connect using RC4?
THIS INFORMATION IS OUT OF DATE
For more recent information about PRTG and security, please see the following article:
This article applies to PRTG Network Monitor 126.96.36.19931 or later
PRTG Webserver Secure Connections
PRTG supports SSL-encrypted connections between the webserver and the clients. On the webserver side, you can either use the standard certificate that is shipped with PRTG, or your own certificate.
When the browser connects to the webserver, they negotiate an encryption method. As of PRTG version 188.8.131.5231, the PRTG webserver accepts the following methods:
- SSLv3 256 bits AES256-SHA
- SSLv3 128 bits AES128-SHA
- SSLv3 168 bits DES-CBC3-SHA
- TLSv1 256 bits AES256-SHA
- TLSv1 128 bits AES128-SHA
- TLSv1 168 bits DES-CBC3-SHA
As of PRTG version 184.108.40.20631, the PRTG webserver does not accept the following encryption method any more:
- SSLv3 128 bits RC4-SHA
Please make sure you use the latest browser version on your clients!
It is really good you have ditched RC4. I would also ditch (or disable by default): SSLv3 168 bits DES-CBC3-SHA TLSv1 168 bits DES-CBC3-SHA
DES is well past it's best lifetime, and can be broken in sub-24 hours using common hardware. With a high power group of machines it can almost be broken real-time. You really don't want to be using ciphers that can be broken so quickly.
with our ciphers we follow the recommendation outlined under https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
In the linked Qualys SSL Labs test, a public PRTG installation with trusted certificate gets a "B" rating. We consider support for TLS 1.2 in future PRTG releases.
If needed, we can provide you with an undocumented setting to define the allowed ciphers manually.
Is there any way of enabling TLS 1.2 on version 220.127.116.112+?
Also, can we strip/disable the server signature being reported (noticed on ssllabs.com)
TLS 1.2 is currently not supported int Version 14.x.10. As of version 18.104.22.16825/2626 PRTG supports TLS1.2. Forward Secrecy will be supported with the next Release Branch 14.x.12 but I cannot give you an estimate on this. Please bear with us.
Could you please explain what exactly you mean about the signature?