Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
G_W_Albrecht
Legend
Legend

Gaia Portal SSL cipher suites

sk147272 currently is the suggested procedure to remove vulnerable ssl ciphers and protocols. The sk120774 and sk111307 does a reboot instead of the final steps, sk163542 only shows the current status and sk126613 is using the cipher tool that only works with MultiPortal enabled. I have summed up information from several source to get it discussed here:

1. First, see the active ciphers:

more /web/templates/httpd-ssl.conf.templ | grep SSLCipherSuite
SSLCipherSuite HIGH:!RC4:!LOW:!EXP:!aNULL:!SSLv2:!MD5

2. So we know how to ask for TLS versions:

cpopenssl ciphers -v 'HIGH:!RC4:!LOW:!EXP:!aNULL:!SSLv2:!MD5' | grep -i tls | awk '{print $2}' | sort --unique
TLSv1
TLSv1.2
TLSv1.3

After a backup of the original template file:

[Expert@HostName:0]# cp /web/templates/httpd-ssl.conf.templ /web/templates/httpd-ssl.conf.templ_ORIGINAL

3. Assign the 'write' permission to the current /web/templates/httpd-ssl.conf.templ file:

[Expert@HostName:0]# ls -l /web/templates/httpd-ssl.conf.templ

[Expert@HostName:0]# chmod u+w /web/templates/httpd-ssl.conf.templ

[Expert@HostName:0]# ls -l /web/templates/httpd-ssl.conf.templ

4. Edit the current /web/templates/httpd-ssl.conf.templ file:

[Expert@HostName:0]# vi /web/templates/httpd-ssl.conf.templ

5. In the section, change:

from:

# SSL Cipher Suite:

# List the ciphers that the client is permitted to negotiate.

# See the mod_ssl documentation for a complete list.

SSLCipherSuite HIGH:!RC4:!LOW:!EXP:!aNULL:!SSLv2:!MD5

To:

# SSL Cipher Suite:

# List the ciphers that the client is permitted to negotiate.

# See the mod_ssl documentation for a complete list.

(from sk147272 - used in the following parts): SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:!ADH:!EXP:RSA:+HIGH:+MEDIUM:!MD5:!LOW:!NULL:!SSLv2:!eNULL:!aNULL:!RC4:!SHA1

(from sk120774): SSLCipherSuite ECDH:!aNULL:!ECDSA:!aECDH:!eNULL:!MD5:!SHA1

Notes:

see the active ciphers:

more /web/templates/httpd-ssl.conf.templ | grep SSLCipherSuite
SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:!ADH:!EXP:RSA:+HIGH:+MEDIUM:!MD5:!LOW:!NULL:!SSLv2:!eNULL:!aNULL:!RC4:!SHA1

[Expert@HostName:0]# cpopenssl ciphers -v 'ECDHE-RSA-AES256-SHA384:AES256-SHA256:!ADH:!EXP:RSA:+HIGH:+MEDIUM:!MD5:!LOW:!NULL:!SSLv2:!eNULL:!aNULL:!RC4:!SHA1' | grep -i tls | awk '{print $2}' | sort --unique
TLSv1.2
TLSv1.3

Remove the 'write' permission from the /web/templates/httpd-ssl.conf.templ file:

[Expert@HostName:0]# chmod -v u-w /web/templates/httpd-ssl.conf.templ

9. Update the current configuration of the HTTPD daemon based on the modified configuration template:

[Expert@HostName:0]# /bin/template_xlate : /web/templates/httpd-ssl.conf.templ /web/conf/extra/httpd-ssl.conf < /config/active

10. Restart the HTTPD daemon:

[Expert@HostName:0]# tellpm process:httpd2

[Expert@HostName:0]# tellpm process:httpd2 t

CCSE CCTE SMB Specialist
6 Replies
Vladimir
Champion
Champion

@G_W_Albrecht , I suppose it'll work on SMS as well.

Did you try running cipher_util afterwards to see if its output matching your modifications?

Cheers,

Vladimir

0 Kudos
G_W_Albrecht
Legend
Legend

Yes, this is for GW or SMS. On GW, cipher_util works and shows:

Enabled:

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256

Disabled:
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA

 

CCSE CCTE SMB Specialist
0 Kudos
Vladimir
Champion
Champion

Thank you!

0 Kudos
G_W_Albrecht
Legend
Legend

What puzzles me is the difference here:

(from sk147272): SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:!ADH:!EXP:RSA:+HIGH:+MEDIUM:!MD5:!LOW:!NULL:!SSLv2:!eNULL:!aNULL:!RC4:!SHA1

(from sk120774): SSLCipherSuite ECDH:!aNULL:!ECDSA:!aECDH:!eNULL:!MD5:!SHA1

What about no Medium:

SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:!ADH:!EXP:RSA:+HIGH:!MEDIUM:!MD5:!LOW:!NULL:!SSLv2:!eNULL:!aNULL:!RC4:!SHA1

Anyone found a link to mod_ssl syntax not from 2001 ?

CCSE CCTE SMB Specialist
0 Kudos
Vladimir
Champion
Champion

I was not looking at it specifically, but let's loop in @PhoneBoy to see if he knows...

0 Kudos
G_W_Albrecht
Legend
Legend

I found it here: https://httpd.apache.org/docs/current/mod/mod_ssl.html

The interesting part:

Aliases:
SSLv3 all SSL version 3.0 ciphers
TLSv1 all TLS version 1.0 ciphers
EXP all export ciphers
EXPORT40 all 40-bit export ciphers only
EXPORT56 all 56-bit export ciphers only
LOW all low strength ciphers (no export, single DES)
MEDIUM all ciphers with 128 bit encryption
HIGH all ciphers using Triple-DES
RSA all ciphers using RSA key exchange
DH all ciphers using Diffie-Hellman key exchange
EDH all ciphers using Ephemeral Diffie-Hellman key exchange
ECDH Elliptic Curve Diffie-Hellman key exchange
ADH all ciphers using Anonymous Diffie-Hellman key exchange
AECDH all ciphers using Anonymous Elliptic Curve Diffie-Hellman key exchange
SRP all ciphers using Secure Remote Password (SRP) key exchange
DSS all ciphers using DSS authentication
ECDSA all ciphers using ECDSA authentication

 

So combining both from above excluding 128 bit encryption would read:

SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:RSA:+HIGH:!ADH:!EXP:!ECDSA:!aECDH:!MEDIUM:!MD5:!LOW:!NULL:!SSLv2:!eNULL:!aNULL:!RC4:!SHA1

 

CCSE CCTE SMB Specialist
0 Kudos