HTTPS connections

Kaspersky Scan Engine in HTTP mode supports HTTPS to establish a secure connection.

Kaspersky Scan Engine does not check the HTTP client certificate.

Kaspersky Scan Engine supports the following secure protocols and cipher suites:

• TLS 1.3 protocol and the following cipher suites:
  • TLS_AES_256_GCM_SHA384
  • TLS_CHACHA20_POLY1305_SHA256
  • TLS_AES_128_GCM_SHA256
• TLS 1.2 protocol and the following cipher suites:
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256

To configure an HTTPS connection, you need to specify the following parameters in the HTTP mode configuration file:

• A path to the private key file (the ServerSettings > TlsCertificateKeyFile element)
• A path to the certificate file (the ServerSettings > TlsCertificateFile element)
• The https protocol (the ServerSettings > ConnectionString element)

In addition, you can configure an HTTPS connection by using Kaspersky Scan Engine GUI.

Below is an example of how to generate private key and certificate files.

To generate a private key and a certificate (Linux):

1. Go to /opt/kaspersky/ScanEngine/tools.
2. Run the following command:

   ./openssl req -new -x509 -config openssl.cnf -newkey ec -pkeyopt ec_paramgen_curve:secp384r1 -nodes -days 3650 -subj "/C=RU/CN=localhost" -keyout kavhttpd.key -out kavhttpd.cert

   In /opt/kaspersky/ScanEngine/tools, two files are created:

   • kavhttpd.key—the private key
   • kavhttpd.cert—the certificate

To generate a private key and a certificate (Windows):

1. Go to %service_dir%\tools.
2. Run the following command:

   openssl.exe req -new -x509 -config openssl.cnf -newkey ec -pkeyopt ec_paramgen_curve:secp384r1 -nodes -days 3650 -subj "/C=RU/CN=localhost" -keyout kavhttpd.key -out kavhttpd.cert

   In %service_dir%\tools, two files are created:

   • kavhttpd.key—the private key
   • kavhttpd.cert—the certificate

Page top