Forum Discussion
RayThomsen_7557
Nimbostratus
NimbostratusSSL Profile cipher elimination
A customer reported having used a Nessus scan to detect "vulnerable" ciphers being allowed on their virtual. They requested I restrict these ciphers:
EXP-DES-CBC-SHA; EXP-RC2-CBC-MD5; EXP-RC4-MD5; DES-CBC-SHA; RC4-MD5; RC4-SHA; RC4-SHA
I attempted to do this by adding this statement to the cipher field of the SSL profile:
DEFAULT:!SSLv3:!EXP-DES-CBC-SHA:!EXP-RC2-CBC-MD5:!EXP-RC4-MD5:!DES-CBC-SHA:!RC4-MD5:!RC4-SHA
However, I recieved an error of:
Invalid keyword 'cipher_name' in ciphers list for profile /partition_name/profile_name
for five of the six ciphers, only RC4-SHA was allowed. How do I restrict these other ciphers?
6 Replies
RayThomsen_7557By the way, this is in version 11.4.1 Build 651.0 Hotfix HF5. Okay, looking about I see that DES-CBC-SHA and EXP-DES-CBC-SHA are included in the DES group. But apparently you can't restrict the ciphers in that group individually?- RayThomsen_7557It looks like I can get DES-CBC-SHA and EXP-DES-CBC-SHA by excluding the DES group: tmm --clientciphers DES ID SUITE BITS PROT METHOD CIPHER MAC KEYX 0: 9 DES-CBC-SHA 64 SSL3 Native DES SHA RSA 1: 9 DES-CBC-SHA 64 TLS1 Native DES SHA RSA 2: 9 DES-CBC-SHA 64 TLS1.1 Native DES SHA RSA 3: 9 DES-CBC-SHA 64 DTLS1 Native DES SHA RSA 4: 98 EXP1024-DES-CBC-SHA 56 SSL3 Native DES SHA RSA 5: 98 EXP1024-DES-CBC-SHA 56 TLS1 Native DES SHA RSA 6: 98 EXP1024-DES-CBC-SHA 56 DTLS1 Native DES SHA RSA 7: 8 EXP-DES-CBC-SHA 40 SSL3 Native DES SHA RSA 8: 8 EXP-DES-CBC-SHA 40 TLS1 Native DES SHA RSA 9: 8 EXP-DES-CBC-SHA 40 DTLS1 Native DES SHA RSA 10: 21 DHE-RSA-DES-CBC-SHA 64 SSL3 Native DES SHA EDH/RSA 11: 21 DHE-RSA-DES-CBC-SHA 64 TLS1 Native DES SHA EDH/RSA 12: 21 DHE-RSA-DES-CBC-SHA 64 TLS1.1 Native DES SHA EDH/RSA 13: 21 DHE-RSA-DES-CBC-SHA 64 TLS1.2 Native DES SHA EDH/RSA And the RC4-MD5 and EXP-RC4-MD5 by excluding the MD5 group: tmm --clientciphers MD5 ID SUITE BITS PROT METHOD CIPHER MAC KEYX 0: 4 RC4-MD5 128 SSL3 Native RC4 MD5 RSA 1: 4 RC4-MD5 128 TLS1 Native RC4 MD5 RSA 2: 4 RC4-MD5 128 TLS1.1 Native RC4 MD5 RSA 3: 4 RC4-MD5 128 TLS1.2 Native RC4 MD5 RSA 4: 3 EXP-RC4-MD5 40 SSL3 Native RC4 MD5 RSA 5: 3 EXP-RC4-MD5 40 TLS1 Native RC4 MD5 RSA And the cipher field took the exclusion of RC4-SHA, so all that's left is to figure out how to exclude EXP-RC2-CBC-MD5.
Brad_ParkerCirrus
should do the trick for you.DEFAULT:!SSLv3:!EXPORT:!MD5:!DES- Brad_ParkerDEFAULT:!SSLv3:!EXPORT:!MD5:!DES:!RC4 just saw you didn't want RC4 either.
Brad_Parker_139Nacreous
should do the trick for you.DEFAULT:!SSLv3:!EXPORT:!MD5:!DES- Brad_Parker_139DEFAULT:!SSLv3:!EXPORT:!MD5:!DES:!RC4 just saw you didn't want RC4 either.
