12-02-2014 01:18 PM
The documentation says to check online help to get the list, but I can't find it anywhere. What information I can find is now quite dated. Is there an official page that details current cipher support information? If so can someone please link it? If not can someone please list our cipher options today?
Solved! Go to Solution.
12-04-2014 06:01 AM
You can use the command "$ZEUSHOME/zxtm/bin/zeus.zxtm --ciphers" to see the list of supported cipher suites.
For version 9.8 I get;
SSL3 Ciphers enabled by default:
Other ciphers (disabled by default):
The online help it is referring to is shown when you click the "Help" link at the top-right of the screen when viewing the System > Global Settings page.
12-04-2014 12:42 PM
Thanks, Richard. I see the list in help now. There is something that is still confusing though. Shouldn't SSL and TLS have different configs, including their cipher lists?
In Global Settings > SSL Configuration, a feature called ssl!ssl3_ciphers is where you configure a list, and the help says these are for SSL, obviously, but apparently TLS on SteelApp uses them too. My TLS1.2 connection to a SteelApp virtual server running HTTPS shows that the cipher I have configured for SSLv3 (there is only one for reasons I'll go into in a moment) is the one it's using.
Here's the rub. I need two cipher orders in this post-BEAST and POODLE world, one for TLS and one for SSL. We are trying to retire SSLv3, but for now because of some legacy systems we can't do that for everything. To mitgate the above mentioned vulnerabilities we've disabled all SSL CBC ciphers, which leaves us with RC4. RC4 is weak and it sucks, but we calculate that we're less likely to be hacked for using RC4 than we are using BEAST/POODLE-hackable CBC ciphers. The plan was to use SSL on RC4 and update our legacy services one at a time to TLS. But if I don't have another cipher list for TLS then even though my upgraded services are running TLS I'm still stuck with this old RC4 cipher.
The second reason its weird is that IANA-registered TLS ciphers are supposed to start with SSL_ for SSL connections and TLS_ for TLS connections, right? I suppose this way you can create one list and put both kinds in there, hence my original question.
TL;DR: Is there a separate cipher list or set of TLS-specific cipher types that I can use in SteelApp to get the full advantages of TLS while limiting my risk with virutal servers that need SSL?
12-05-2014 02:57 AM
No problem, as you noticed the configuration item "ssl!ssl3_ciphers" and cipher suite names SSL_RSA_WITH_AES_128_CBC_SHA256 etc. apply to both TLS and SSL protocols. This is for consistency and historical reasons, although it does mean that the names we give to cipher suites don't match those in the TLS RFCs. The online help does include the 2 8-bit numbers that identify each cipher suite on the wire, which you can cross-reference with the IANA registry here. As you can see from the registry IANA have the same TLS_ prefix for all ciphers regardless of which protocols they are available in; the same numbers are used for SSL3 & TLS1.0-1.2.
The traffic manager doesn't allow configuration of cipher suite preference per-protocol version, however depending on your need you may be able to achieve the same effect by using the per-pool and per-virtual server cipher suite configuration. The configuration item "ssl_ciphers" can be found in the Services > Pools > poolname > SSL Encryption and Services > Virtual Servers > vsname > SSL Decryption. By default these are blank and the global configuration is used.