Create a Post
Showing results for 
Search instead for 
Did you mean: 

Disable 3DES completely in GAIA

Hi All,

We have a requirement to disable DES and 3DES completely. I have followed sk111307 to disable 3DES but still was able to connect while running this command,

# openssl s_client -connect ip_address:443 -cipher DES-CBC3-SHA

depth=1 O = FW1..a382gg

.........edited for brevity....
verify error:num=19:self signed certificate in certificate chain

New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Protocol : TLSv1.2
Cipher : DES-CBC3-SHA

So sk111307 did not solve my requirement.Then I made changes as per sk113114, and after running the command it looks like the connection is not successful.

# openssl s_client -connect ip_address:443 -cipher DES-CBC3-SHA

140735800738760:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:/BuildRoot/Library/Caches/
no peer certificate available
No client certificate CA names sent
SSL handshake has read 7 bytes and written 100 bytes
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated


#FW is restarted

How can I ensure that the 3DES is disabled and not reachable under any security testing? I also want to force to use TLSv1.2. By default TLSv1 was enabled, which was disabled by deleting TLSv1 from /web/templates/httpd-ssl.conf.templ and retaining TLSv1.1 and TLSv1.2

0 Kudos
2 Replies

I believe you are in good shape after following sk113114  and enabling TLSv1.2 

0 Kudos

Following the steps in sk111307 should handle it.  Your /web/templates/httpd-ssl.conf.templ file should look something like this:

#   SSL Cipher Suite:
#   List the ciphers that the client is permitted to negotiate.
#   See the mod_ssl documentation for a complete list.
SSLCipherSuite HIGH:!RC4:!LOW:!EXP:!aNULL:!SSLv2:!MD5:!3DES

SSLProtocol -ALL {ifcmp = $httpd:ssl3_enabled 1}+{else}-{endif}SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2