Solved: weak cipher blocking in ACE20

tharunraj22 · ‎01-28-2012

I tried to create a L7 class-map for blocking the clients with ciphes strength less than 128 in ACE20 running with Software version A2(2.3).

But there were no command inside the L7 class-map called cipher for matching the cipher strength 128. Command Tried to issue was

host1/Admin(config-cmap-http-lb)#match cipher less-than 128

So I want to know whether this is possible on ACE 20 and SW version A2(2.3). Kindly suggest a way to acheive this.

I have seen some other configuration using the parameter-match, But I dont know the Cipher Names which to allow. I want to drop all the connections with less than 128 bits cipher strength.

Can anyone help on this???

Tharun

Marvin Rhoads · ‎01-28-2012

By default all available ciphers will be allowed. Those are:

–RSA_EXPORT1024_WITH_DES_CBC_SHA

–RSA_EXPORT1024_WITH_RC4_56_MD5

–RSA_EXPORT1024_WITH_RC4_56_SHA

–RSA_EXPORT_WITH_DES40_CBC_SHA

–RSA_EXPORT_WITH_RC4_40_MD5

–RSA_WITH_3DES_EDE_CBC_SHA

–RSA_WITH_AES_128_CBC_SHA

–RSA_WITH_AES_256_CBC_SHA

–RSA_WITH_DES_CBC_SHA

–RSA_WITH_RC4_128_MD5

–RSA_WITH_RC4_128_SHA

To narrow that down, create a parameter-map that specifies only the strong ones. Then apply that PMAP using the ssl advanced-options keyword in your ssl-proxy service section. Something like this:

parameter-map type ssl _SSL_PMAP

cipher RSA_WITH_RC4_128_MD5

cipher RSA_WITH_RC4_128_SHA

cipher RSA_WITH_3DES_EDE_CBC_SHA

cipher RSA_WITH_AES_128_CBC_SHA

ssl-proxy service _SSL

key

cert

chaingroup

ssl advanced-options _SSL_PMAP

View solution in original post

Marvin Rhoads · ‎01-28-2012

By default all available ciphers will be allowed. Those are:

–RSA_EXPORT1024_WITH_DES_CBC_SHA

–RSA_EXPORT1024_WITH_RC4_56_MD5

–RSA_EXPORT1024_WITH_RC4_56_SHA

–RSA_EXPORT_WITH_DES40_CBC_SHA

–RSA_EXPORT_WITH_RC4_40_MD5

–RSA_WITH_3DES_EDE_CBC_SHA

–RSA_WITH_AES_128_CBC_SHA

–RSA_WITH_AES_256_CBC_SHA

–RSA_WITH_DES_CBC_SHA

–RSA_WITH_RC4_128_MD5

–RSA_WITH_RC4_128_SHA

To narrow that down, create a parameter-map that specifies only the strong ones. Then apply that PMAP using the ssl advanced-options keyword in your ssl-proxy service section. Something like this:

parameter-map type ssl _SSL_PMAP

cipher RSA_WITH_RC4_128_MD5

cipher RSA_WITH_RC4_128_SHA

cipher RSA_WITH_3DES_EDE_CBC_SHA

cipher RSA_WITH_AES_128_CBC_SHA

ssl-proxy service _SSL

key

cert

chaingroup

ssl advanced-options _SSL_PMAP

tharunraj22 · ‎01-29-2012

Hi Marvin,

Is it possible to create a class-map with SSL parameter in ACE 20 with the SW version A2(2.3)?

I have seen the sorted list of the Strong Ciphers, Is that all greater than 128 bits? By creating this parameter map will it effect any users comming with more than 128 bits of cipher strength?

Tharun

Marvin Rhoads · ‎01-29-2012

Actually I adapted my commands above from an ACE-20 I had running A2(1.6a). They should be fine on an ACE-20 with A2(2.3) as well.

Users with ciphers greater than or equal to 128-bits will not be affected by the above. Users presenting requests with less than 128-bit ciphers will not be able to make the SSL connection.

tharunraj22 · ‎01-29-2012

Prameter Maping is working fine on the device but I want to know whether can I create a L7 class-map for blocking the clients with ciphes strength less than 128 in ACE20 running with Software version A2(2.3).

But there were no command inside the L7 class-map called cipher for matching the cipher strength 128. Command Tried to issue was

host1/Admin(config-cmap-http-lb)#match cipher less-than 128

Thanks

Daniel Arrondo Ostiz · ‎01-31-2012

Hi Tharun,

If the ciphers requested by the customer are not in the SSL parameter map you defined, then the connection would be blocked. There is no need for a L7 class-map to do this (and in fact, it's not possible to use one)

Daniel