Hardening Synology DSM SSL

written by Daniel Schep on 2013-02-05

Synology DSM 4.1 is vulnerable to BEAST and the Lucky Thirteen attacks out of the box. Switching to RC4 ciphers makes these attacks, and any other future CBC-targeting attacks, not work. To fix this these 2 files need to be updated:


Update them such that the line starting with SSLCipherSuite is replaced with these two lines:

SSLHonorCipherOrder On

Restart Apache:

/usr/syno/etc/rc.d/S97apache-sys.sh restart
/usr/syno/etc/rc.d/S97apache-user.sh restart

Double check that no other Apache configs contain SSLCipherSuite options:

grep SSLCipher /usr/syno/apache/conf/extra/*