cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question
Anu_Cherian
Nickel

Disable 3DES completely in GAIA

Hi All,

We have a requirement to disable DES and 3DES completely. I have followed sk111307 to disable 3DES but still was able to connect while running this command,

# openssl s_client -connect ip_address:443 -cipher DES-CBC3-SHA

CONNECTED(00000003)
depth=1 O = FW1..a382gg

.........edited for brevity....
verify error:num=19:self signed certificate in certificate chain

New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : DES-CBC3-SHA

So sk111307 did not solve my requirement.Then I made changes as per sk113114, and after running the command it looks like the connection is not successful.

# openssl s_client -connect ip_address:443 -cipher DES-CBC3-SHA

CONNECTED(00000003)
140735800738760:error:14077410Smiley FrustratedSL routinesSmiley FrustratedSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.50.2/libressl/ssl/s23_clnt.c:541:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 100 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
---

*****************************************

#FW is restarted

How can I ensure that the 3DES is disabled and not reachable under any security testing? I also want to force to use TLSv1.2. By default TLSv1 was enabled, which was disabled by deleting TLSv1 from /web/templates/httpd-ssl.conf.templ and retaining TLSv1.1 and TLSv1.2

0 Kudos
2 Replies

Re: Disable 3DES completely in GAIA

I believe you are in good shape after following sk113114  and enabling TLSv1.2 

0 Kudos

Re: Disable 3DES completely in GAIA

Following the steps in sk111307 should handle it.  Your /web/templates/httpd-ssl.conf.templ file should look something like this:

#   SSL Cipher Suite:
#   List the ciphers that the client is permitted to negotiate.
#   See the mod_ssl documentation for a complete list.
SSLCipherSuite HIGH:!RC4:!LOW:!EXP:!aNULL:!SSLv2:!MD5:!3DES

SSLProtocol -ALL {ifcmp = $httpd:ssl3_enabled 1}+{else}-{endif}SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2