HTTPS connections
April 24, 2024
ID 210245
Kaspersky Scan Engine in HTTP mode supports HTTPS to establish a secure connection.
Kaspersky Scan Engine does not check the HTTP client certificate.
Kaspersky Scan Engine supports the following secure protocols and cipher suites:
- TLS 1.3 protocol and the following cipher suites:
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
- TLS_AES_128_GCM_SHA256
- TLS 1.2 protocol and the following cipher suites:
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
- TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
To configure an HTTPS connection, you need to specify the following parameters in the HTTP mode configuration file:
- A path to the private key file (the
ServerSettings > TlsCertificateKeyFile
element) - A path to the certificate file (the
ServerSettings > TlsCertificateFile
element) - The
https
protocol (theServerSettings > ConnectionString
element)
In addition, you can configure an HTTPS connection by using Kaspersky Scan Engine GUI.
Below is an example of how to generate private key and certificate files.
To generate a private key and a certificate (Linux):
- Go to
/opt/kaspersky/ScanEngine/tools
. - Run the following command:
./openssl req -new -x509 -config openssl.cnf -newkey ec -pkeyopt ec_paramgen_curve:secp384r1 -nodes -days 3650 -subj "/C=RU/CN=localhost" -keyout kavhttpd.key -out kavhttpd.cert
In
/opt/kaspersky/ScanEngine/tools
, two files are created:kavhttpd.key—
the private keykavhttpd.cert—
the certificate
To generate a private key and a certificate (Windows):
- Go to
%service_dir%\tools
. - Run the following command:
openssl.exe req -new -x509 -config openssl.cnf -newkey ec -pkeyopt ec_paramgen_curve:secp384r1 -nodes -days 3650 -subj "/C=RU/CN=localhost" -keyout kavhttpd.key -out kavhttpd.cert
In
%service_dir%\tools
, two files are created:kavhttpd.key—
the private keykavhttpd.cert—
the certificate