Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
CyberBreaker
Contributor
Jump to solution

Disable Weak Ciphers for Smart-1

Hello Guys,

I believed it is possible to disable weak ciphers for the security gateway but how about for the security management (smart-1)? I searched over the some data but I always saw the procedure for the security gateways.

Anyone here knows how to disable weak ciphers for smart-1?

Thank you very much for the great help.

 

0 Kudos
1 Solution

Accepted Solutions
HeikoAnkenbrand
Champion Champion
Champion

Hi @CyberBreaker,

Use the following comand to see all posible ciphers:

# cpopenssl ciphers -v 'HIGH:!RC4:!LOW:!EXP:!aNULL:!SSLv2:!MD5'

1) Back up the current /web/templates/httpd-ssl.conf.templ file:

# cp /web/templates/httpd-ssl.conf.templ /web/templates/httpd-ssl.conf.templ_backup

2) Assign the 'write' permission to the file:

# ls -l /web/templates/httpd-ssl.conf.templ

# chmod u+w /web/templates/httpd-ssl.conf.templ

# ls -l /web/templates/httpd-ssl.conf.templ

3) Edit the current /web/templates/httpd-ssl.conf.templ file:

[Expert@HostName:0]# vi /web/templates/httpd-ssl.conf.templ

       >>>  In the section "SSL Cipher Suite" change the chihper:

       # SSL Cipher Suite:
       # Add your chiper:

       SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256-  SHA256:!ADH:!EXP:RSA:+HIGH:+MEDIUM:!MD5:!LOW:!NULL:!SSLv2:!eNULL:!aNULL:!RC4:!SHA1

        4) Restart the httpd
               # tellpm process:httpd2

 

 

➜ CCSM Elite, CCME, CCTE

View solution in original post

6 Replies
HeikoAnkenbrand
Champion Champion
Champion

Hi @CyberBreaker,

Use the following comand to see all posible ciphers:

# cpopenssl ciphers -v 'HIGH:!RC4:!LOW:!EXP:!aNULL:!SSLv2:!MD5'

1) Back up the current /web/templates/httpd-ssl.conf.templ file:

# cp /web/templates/httpd-ssl.conf.templ /web/templates/httpd-ssl.conf.templ_backup

2) Assign the 'write' permission to the file:

# ls -l /web/templates/httpd-ssl.conf.templ

# chmod u+w /web/templates/httpd-ssl.conf.templ

# ls -l /web/templates/httpd-ssl.conf.templ

3) Edit the current /web/templates/httpd-ssl.conf.templ file:

[Expert@HostName:0]# vi /web/templates/httpd-ssl.conf.templ

       >>>  In the section "SSL Cipher Suite" change the chihper:

       # SSL Cipher Suite:
       # Add your chiper:

       SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256-  SHA256:!ADH:!EXP:RSA:+HIGH:+MEDIUM:!MD5:!LOW:!NULL:!SSLv2:!eNULL:!aNULL:!RC4:!SHA1

        4) Restart the httpd
               # tellpm process:httpd2

 

 

➜ CCSM Elite, CCME, CCTE
CyberBreaker
Contributor

Hi @HeikoAnkenbrand ,

Thanks for the help, I will try this.

Is this for HTTPS and SSH as well? Is there's SK document for this one?

Thanks

0 Kudos
HeikoAnkenbrand
Champion Champion
Champion

Hi @G_W_Albrecht ,

this sk is only for gatways not for SMS.

sk126613: Cipher configuration tool for R80.x Gateways

Regards

Heiko

➜ CCSM Elite, CCME, CCTE
0 Kudos
G_W_Albrecht
Legend
Legend

Yes, very true ! It is the two other SKs that concern pure SMS.

CCSE CCTE CCSM SMB Specialist
0 Kudos
genisis__
Leader Leader
Leader

Here is what I did:

clear
ls -l /web/templates/httpd-ssl.conf.templ
#Note: Above just confirms permissions set back to read-only.
cp /web/templates/httpd-ssl.conf.templ /web/templates/httpd-ssl.conf.templ_ORIGINAL
chmod u+w /web/templates/httpd-ssl.conf.templ
sed -i 's/SSLCipherSuite HIGH:!RC4:!LOW:!EXP:!aNULL:!SSLv2:!MD5/SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:!ADH:!EXP:!RSA:+HIGH:+MEDIUM:!MD5:!LOW:!NULL:!SSLv2:!eNULL:!aNULL:!RC4:!SHA1/g' /web/templates/httpd-ssl.conf.templ
sed -i 's/SSLProtocol -ALL {ifcmp = $httpd:ssl3_enabled 1}+{else}-{endif}SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2/SSLProtocol -ALL {ifcmp = $httpd:ssl3_enabled 1}+{else}-{endif}TLSv1.2 +TLSv1.3/g' /web/templates/httpd-ssl.conf.templ
chmod u-w /web/templates/httpd-ssl.conf.templ
/bin/template_xlate : /web/templates/httpd-ssl.conf.templ /web/conf/extra/httpd-ssl.conf < /config/active
tellpm process:httpd2
tellpm process:httpd2 t
ls -l /web/templates/httpd-ssl.conf.templ
#Note: Above just confirms permissions set back to read-only.

I then ran an sslscan against the IP which resulted in only TLSv1.3 being seen.

Testing SSL server aa.bb.cc.dd on port 443 using SNI name aa.bb.cc.dd

SSL/TLS Protocols:
SSLv2 disabled
SSLv3 disabled
TLSv1.0 disabled
TLSv1.1 disabled
TLSv1.2 disabled
TLSv1.3 enabled

TLS Fallback SCSV:
Server supports TLS Fallback SCSV

TLS renegotiation:
Session renegotiation not supported

TLS Compression:
Compression disabled

Heartbleed:
TLSv1.3 not vulnerable to heartbleed

Supported Server Cipher(s):
Preferred TLSv1.3 128 bits TLS_AES_128_GCM_SHA256 Curve 25519 DHE 253
Accepted TLSv1.3 256 bits TLS_AES_256_GCM_SHA384 Curve 25519 DHE 253
Accepted TLSv1.3 256 bits TLS_CHACHA20_POLY1305_SHA256 Curve 25519 DHE 253

Server Key Exchange Group(s):
TLSv1.3 128 bits secp256r1 (NIST P-256)
TLSv1.3 192 bits secp384r1 (NIST P-384)
TLSv1.3 260 bits secp521r1 (NIST P-521)
TLSv1.3 128 bits x25519
TLSv1.3 224 bits x448

 

What I'm not sure about is if this procedure would need to run again after updating the jumbo.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events