vADC Forum

Reply
Occasional Contributor
Posts: 12
Registered: ‎12-13-2013
Accepted Solution

Assuming TLS, what ciphers does SteelApp 9.8 support?

The documentation says to check online help to get the list, but I can't find it anywhere.  What information I can find is now quite dated.  Is there an official page that details current cipher support information?  If so can someone please link it?  If not can someone please list our cipher options today?

Brocadian
Posts: 100
Registered: ‎02-22-2013

Re: Assuming TLS, what ciphers does SteelApp 9.8 support?

Hi Shawn,

You can use the command "$ZEUSHOME/zxtm/bin/zeus.zxtm --ciphers" to see the list of supported cipher suites.

For version 9.8 I get;

SSL3 Ciphers enabled by default:

   SSL_RSA_WITH_AES_128_CBC_SHA256

   SSL_DHE_DSS_WITH_AES_128_CBC_SHA256

   SSL_DHE_RSA_WITH_AES_128_CBC_SHA256

   SSL_RSA_WITH_AES_128_CBC_SHA

   SSL_DHE_DSS_WITH_AES_128_CBC_SHA

   SSL_DHE_RSA_WITH_AES_128_CBC_SHA

   SSL_RSA_WITH_AES_256_CBC_SHA256

   SSL_DHE_DSS_WITH_AES_256_CBC_SHA256

   SSL_DHE_RSA_WITH_AES_256_CBC_SHA256

   SSL_RSA_WITH_AES_256_CBC_SHA

   SSL_DHE_DSS_WITH_AES_256_CBC_SHA

   SSL_DHE_RSA_WITH_AES_256_CBC_SHA

   SSL_RSA_WITH_3DES_EDE_CBC_SHA

   SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA

   SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA

   SSL_RSA_WITH_RC4_128_SHA

Other ciphers (disabled by default):

   SSL_RSA_WITH_RC4_128_MD5

   SSL_RSA_WITH_DES_CBC_SHA

   SSL_DHE_DSS_WITH_DES_CBC_SHA

   SSL_DHE_RSA_WITH_DES_CBC_SHA

   SSL_RSA_EXPORT_WITH_DES_CBC_SHA

   SSL_RSA_EXPORT_WITH_RC4_56_SHA

   SSL_RSA_EXPORT_WITH_RC4_56_MD5

   SSL_RSA_EXPORT_WITH_DES40_CBC_SHA

   SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA

   SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA

   SSL_RSA_EXPORT_WITH_RC4_40_MD5

   SSL_RSA_WITH_NULL_SHA256

   SSL_RSA_WITH_NULL_SHA

   SSL_RSA_WITH_NULL_MD5

The online help it is referring to is shown when you click the "Help" link at the top-right of the screen when viewing the System > Global Settings page.

Occasional Contributor
Posts: 12
Registered: ‎12-13-2013

Re: Assuming TLS, what ciphers does SteelApp 9.8 support?

Thanks, Richard.  I see the list in help now.  There is something that is still confusing though.  Shouldn't SSL and TLS have different configs, including their cipher lists?

In Global Settings > SSL Configuration, a feature called ssl!ssl3_ciphers is where you configure a list, and the help says these are for SSL, obviously, but apparently TLS on SteelApp uses them too.  My TLS1.2 connection to a SteelApp virtual server running HTTPS shows that the cipher I have configured for SSLv3 (there is only one for reasons I'll go into in a moment) is the one it's using.

Here's the rub.  I need two cipher orders in this post-BEAST and POODLE world, one for TLS and one for SSL.  We are trying to retire SSLv3, but for now because of some legacy systems we can't do that for everything.  To mitgate the above mentioned vulnerabilities we've disabled all SSL CBC ciphers, which leaves us with RC4.  RC4 is weak and it sucks, but we calculate that we're less likely to be hacked for using RC4 than we are using BEAST/POODLE-hackable CBC ciphers.  The plan was to use SSL on RC4 and update our legacy services one at a time to TLS.  But if I don't have another cipher list for TLS then even though my upgraded services are running TLS I'm still stuck with this old RC4 cipher.

The second reason its weird is that IANA-registered TLS ciphers are supposed to start with SSL_ for SSL connections and TLS_ for TLS connections, right?  I suppose this way you can create one list and put both kinds in there, hence my original question.

TL;DR: Is there a separate cipher list or set of TLS-specific cipher types that I can use in SteelApp to get the full advantages of TLS while limiting my risk with virutal servers that need SSL?

Brocadian
Posts: 100
Registered: ‎02-22-2013

Re: Assuming TLS, what ciphers does SteelApp 9.8 support?

No problem, as you noticed the configuration item "ssl!ssl3_ciphers" and cipher suite names SSL_RSA_WITH_AES_128_CBC_SHA256 etc. apply to both TLS and SSL protocols. This is for consistency and historical reasons, although it does mean that the names we give to cipher suites don't match those in the TLS RFCs. The online help does include the 2 8-bit numbers that identify each cipher suite on the wire, which you can cross-reference with the IANA registry here. As you can see from the registry IANA have the same TLS_ prefix for all ciphers regardless of which protocols they are available in; the same numbers are used for SSL3 & TLS1.0-1.2.

The traffic manager doesn't allow configuration of cipher suite preference per-protocol version, however depending on your need you may be able to achieve the same effect by using the per-pool and per-virtual server cipher suite configuration. The configuration item "ssl_ciphers" can be found in the Services > Pools > poolname > SSL Encryption and Services > Virtual Servers > vsname > SSL Decryption. By default these are blank and the global configuration is used.

Occasional Contributor
Posts: 12
Registered: ‎12-13-2013

Re: Assuming TLS, what ciphers does SteelApp 9.8 support?

Thanks, Richard.  I think it will work out if we set the ciphers per Virtual Server as you suggest.

--Shawn

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.