I configured my PRTG webserver to use a secure connection. Which encryption methods does the PRTG webserver accept? Which ciphers are supported? Can I connect using RC4?

Article Comments

THIS INFORMATION IS OUT OF DATE

For more recent information about PRTG and security, please see the following article:

This article applies to PRTG Network Monitor 13.4.7.3531 or later

PRTG Webserver Secure Connections

PRTG supports SSL-encrypted connections between the webserver and the clients. On the webserver side, you can either use the standard certificate that is shipped with PRTG, or your own certificate.

When the browser connects to the webserver, they negotiate an encryption method. As of PRTG version 13.4.7.3531, the PRTG webserver accepts the following methods:

  • SSLv3 256 bits AES256-SHA
  • SSLv3 128 bits AES128-SHA
  • SSLv3 168 bits DES-CBC3-SHA
  • TLSv1 256 bits AES256-SHA
  • TLSv1 128 bits AES128-SHA
  • TLSv1 168 bits DES-CBC3-SHA


Unsupported Ciphers

As of PRTG version 13.4.7.3531, the PRTG webserver does not accept the following encryption method any more:

  • SSLv3 128 bits RC4-SHA

Please make sure you use the latest browser version on your clients!


Nov, 2013 - Permalink

It is really good you have ditched RC4. I would also ditch (or disable by default): SSLv3 168 bits DES-CBC3-SHA TLSv1 168 bits DES-CBC3-SHA

DES is well past it's best lifetime, and can be broken in sub-24 hours using common hardware. With a high power group of machines it can almost be broken real-time. You really don't want to be using ciphers that can be broken so quickly.


Mar, 2014 - Permalink

Dear Philip,

with our ciphers we follow the recommendation outlined under https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/

In the linked Qualys SSL Labs test, a public PRTG installation with trusted certificate gets a "B" rating. We consider support for TLS 1.2 in future PRTG releases.

If needed, we can provide you with an undocumented setting to define the allowed ciphers manually.


Mar, 2014 - Permalink

Hello,

Is there any way of enabling TLS 1.2 on version 14.3.10.2422+?

Also, can we strip/disable the server signature being reported (noticed on ssllabs.com)

Thanks

Dave


Oct, 2014 - Permalink

TLS 1.2 is currently not supported int Version 14.x.10. As of version 14.3.11.2625/2626 PRTG supports TLS1.2. Forward Secrecy will be supported with the next Release Branch 14.x.12 but I cannot give you an estimate on this. Please bear with us.
Could you please explain what exactly you mean about the signature?


Oct, 2014 - Permalink

Is there any place to disable encryption under server configuration? Any plan to disable DES-CBC3-SHA?

DES-CBC3-SHA should be avoided, based on CVE-2016-218.


Dec, 2022 - Permalink

Hello,

The current version of this information is outdated, you can find the current information here

If you need further customization we have the possibility to define the used SSL ciphers completely manually by editing PRTGs configuration directly.

As this is an advanced procedure with potential for failure we provide this information via our Technical Support, please get in touch via mail at support@paessler.com

Kind regards,
Johannes Beyerlein, Technical Support Team


Jan, 2023 - Permalink