06-17-2015 08:05 AM
Any ideas how to disable the TLS variant of RC4 (or other) cipher in the SSL(/TLS!) Configuration?
SSLv3 (and v2) are disabled and all docs refer to only SSL cipher lists.
There are references to the TLS algorithms - but setting these still allows weak ciphers, including RC4, for example.
Ideas and suggestions much appreciated
06-19-2015 01:01 AM
Bump. Perhaps the web interface needs a bit of a revamp. There are lots of references in the web interface fo SSL parameters which are actually for used for TLS too which is a bit misleading.
06-19-2015 11:08 AM
Hi guys, welcome to the Brocade communities! Kudos for being the first one to post a question . I not sure on this one, but I will get the product team involved and see if we can get you an answer. I'll let you know as soon as we hear back from them.
06-21-2015 06:23 AM
OK, just a few things to check, and a little information.
Firstly, what version of SteelApp Traffic Manager are you running?
I ask because the defaults change from version to version (as we move to remove weaker encryption settings as they become less trusted) and the settings you have by default on your SteelApp can vary depending on what version you are running, and whether it was a clean install or an upgrade and what version(s) you have upgraded through over time.
Secondly, what is the current *effective* settings for the Virtual Server in question?
For this you need to look under *both* Settings > Global Settings > SSL Configuration > ssl!ssl3_ciphers(which sets the defaults for ALL virtual Servers) and the setting for the specific Virtual Servers you are interested under Services > Virtual Servers > Your_Virtual_Server_Name > SSL Decryption > ssl_ciphers (which can override the defaults on a per Virtual Server basis)
Based on your answer to these two questions, we can look at how we can assist you further. Now for some information:
With each version of Traffic Manager, the new install *defaults* can be listed in the online help - simply click the "Help" button in the top right when on the ssl!ssl3_ciphers page under "Global Settings" and it will list the default ciphers.
Looking at my v10.0r1 Traffic Manager, I can see the list includes only one RC4 cipher by default, and it's the last on the list:
26. SSL_RSA_WITH_RC4_128_SHA (0x00, 0x05)
If you remove this from the list, you should be ok as far as no longer supporting RC4 ciphers.
If you want to test your configuration, you can use the Qualys SSL Labs "SSL Server Test" (https://www.ssllabs.com/ssltest/index.html).
When I do, I see it correctly identifies the use of weak RC4 ciphers with the defaults. If I remove this from the list and test again, I get no RC4 warnings.
06-21-2015 06:28 AM
Sometimes within a product's lifecycle, elements change and we have to make the hard decision between the benefits of a name change for a configuration parameter versus the both the chaos it can create when a command or setting that used to work no longer does and the features we could be working on instead of these changes... It's a hard balance to strike sometimes!!
Please do know that your comment *is* noted and appreciated - I have flagged your suggestion for review, but I can't make any promises..
06-22-2015 05:55 AM - edited 06-22-2015 07:56 AM
Thanks for posting the question - I hope Aidan's info helps you to set this up. The overall message is that although we provide you with some default settings, you can select which ciper(s) you wish to accept for each application.
06-23-2015 03:37 AM
Thanks guys for all the info
I am managing to have some tinker time now - which is good. I think, as was previously mentioned, even though the fields say 'ssl ciphers' it does cover tls too.
That ssllabs site is very informative, and i've used the steelapp help page as well to get a cipher wanted list. Originally I hoped it could be done in a similar fashion to Apache with a '!RC4' option.
I'm just conscious that if a new release of the STM adds new ciphers, or deprecates them; then the explicitly listed ciphers may create an admin overhead to keep on top of. I appreciate that the defaults are getting better with each release (we're on the latest 10r1 here) and the software is excellent, we recommend it where we can.
For example, we don't use the fips stuff, but the ciphers listed by that has the 'weak' (according to ssl labs) DHE Diffie-Hellman exchange.
So, currently our cipher list, with SSLv3 disabled, works well and is as follows (gets A- on ssl labs, which is good enough :-) :
thanks again - much appreciated
06-29-2015 12:57 AM
You should be able to get an A score if you change the list and order of cyphers as follows:
Further, you should be able to get an A+ score if you add the following TrafficScript rule as a response rule on your TLS virtual servers:
http.setResponseHeader( "Strict-Transport-Security”, "max-age=31622400” );
07-15-2015 05:40 AM - edited 07-15-2015 05:52 AM
To go off topic slightly how do you improve the "This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B."
I guess you remove the ciphers that use DHE in the list? If not how do you generate your own stronger key?
07-22-2015 07:08 AM
Reply From Juergen Luksch:
The System/global settings/SSL settings on the vTM should help:
The length in bits of the Diffie-Hellman key for ciphers that use Diffie-Hellman key agreement.
This setting determines the length of the key used in ephemeral Diffie-Hellman key agreement. It is only relevant for ciphers that use this key agreement algorithm, for example, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA. Longer keys mean more secure connections, but also more CPU load. If an export cipher is used (these are normally disabled), this setting is ignored and the length will be 512 bits.