I have a Ruby on Rails application that runs under puma v4.3.8. It currently allows a number of weaker TLS ciphers. The application has a config/puma.rb file. I've tried to use ssl_cipher_filter to enforce stronger ciphers.
From what I can see the puma code evals the contents of the config file, which seems ripe for exploitation but that's another discussion. I know I'm editing the correct file because if I put a coding error in it the application fails to start.
I've tried a number of approaches in the puma.rb to set the ssl_cipher_filter and ssl_cipher_list but none of them have had the desired affect, here's a few of those attempts:
ssl_bind('0.0.0.0','443', {ssl_cipher_filter: "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"})
and
@options[:ssl_cipher_filter]="AES@STRENGTH"
and
@options[:ssl_cipher_list]="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"
I am using nmap to check which ciphers are supported using the following command
nmap --script ssl-enum-ciphers -p 443 myapp.mydomain.com
I've yet to see any change in the list of ciphers accepted.
Can anyone help me put the correct configuration in place to limit the ciphers offered by puma?
This worked for me, adding this option on puma.rb configuration file:
ssl_cipher_filter: '!aNULL:AES+SHA'
Is is mentioned on https://github.com/puma/puma#controlling-ssl-cipher-suites