AnsweredAssumed Answered

Disable 3DES completely in GAIA

Question asked by Anu Cherian on Jun 28, 2018
Latest reply on Jun 28, 2018 by Corey Augustine

Hi All,

 

We have a requirement to disable DES and 3DES completely. I have followed sk111307 to disable 3DES but still was able to connect while running this command,

# openssl s_client -connect ip_address:443 -cipher DES-CBC3-SHA

CONNECTED(00000003)
depth=1 O = FW1..a382gg

.........edited for brevity....
verify error:num=19:self signed certificate in certificate chain

New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : DES-CBC3-SHA

 

So sk111307 did not solve my requirement.Then I made changes as per sk113114, and after running the command it looks like the connection is not successful.

 

# openssl s_client -connect ip_address:443 -cipher DES-CBC3-SHA

CONNECTED(00000003)
140735800738760:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.50.2/libressl/ssl/s23_clnt.c:541:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 100 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
---

 

*****************************************

#FW is restarted

How can I ensure that the 3DES is disabled and not reachable under any security testing? I also want to force to use TLSv1.2. By default TLSv1 was enabled, which was disabled by deleting TLSv1 from /web/templates/httpd-ssl.conf.templ and retaining TLSv1.1 and TLSv1.2

Outcomes