04-04-2013 01:57 PM - edited 03-18-2019 12:53 AM
Cisco,
Anyone from Cisco care to comment and or explain this for me?
"We have VCS Express v7.2.1 that according to the release notes supports “TLS 1.1 and 1.2 have been enabled in Apache” which means the device supports strong Ciphers. However, per a Vuln scan, it appears the device also supports the older SSL v3.0 & TLSv1.0 and specifically the insecure CBC (cipher block chaining) cipher. Is there any way to disable or remove altogether support for CBC (cipher block chaining) ciphers in the SSLv3.0/TLS1.0 implementations?"
Thank you,
Justin Ferello
Technical Support Specialist
KBZ, a Cisco Authorized Distributor
http://www.kbz.com
e/v: justin.ferello@kbz.com
Solved! Go to Solution.
04-05-2013 12:04 AM
Hi Justin,
On the VCS, create a file with these two lines:
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4-SHA:HIGH:!ADH:!aNULL
put the file in to /tandberg/etc/opt/apache2/ssl.d/ and then restart apache ( /etc/init.d/httpd restart )
This allows us to offer some TLSv1.2 ciphers first and then RC4-SHA which is a SSLv3 stream rather than block cipher, before the HIGH ciphers.
Thanks,
Guy
04-04-2013 02:26 PM
Hi Justin,
I'll get you a couple of config lines you can put in tomorrow when I'm back in the office.
The VCS does support TLS 1.1 and 1.2 but very few browsers do. You can do some Apache config so that it only uses the newer cyphers, and possibly RC4 too if you want to support browsers which don't do TLS1.1/1.2
Thanks,
Guy
04-05-2013 12:04 AM
Hi Justin,
On the VCS, create a file with these two lines:
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4-SHA:HIGH:!ADH:!aNULL
put the file in to /tandberg/etc/opt/apache2/ssl.d/ and then restart apache ( /etc/init.d/httpd restart )
This allows us to offer some TLSv1.2 ciphers first and then RC4-SHA which is a SSLv3 stream rather than block cipher, before the HIGH ciphers.
Thanks,
Guy
04-05-2013 06:26 AM
Guy,
Thanks for the quick response on this, really appreciate it. So this will disable CBC, right?
What should the file be named?
Also, what is they do not want to support RC4? Just remove that from the line above?
Thank you,
Justin Ferello
Technical Support Specialist
KBZ, a Cisco Authorized Distributor
http://www.kbz.com
e/v: justin.ferello@kbz.com
04-05-2013 06:57 AM
It'll put SSLv3 / TLSv1.0 CBC ciphers that fall in to the HIGH category at the button of the list and honours cipher order - it will pass Qualys SSL Server TEST - https://www.ssllabs.com/ssltest/index.html - for BEAST.
I guess you could remove HIGH, but that would leave you with only RC4 and some TLS1.2 ciphers. If they don't want RC4 too that can be removed, but they are likely to be very limited on what browser they can use. Firefox doens't do anything above TLS 1.0 for a start.
It kind of depends what you need to acheive.
This file can be called anything. When I've put this in in the past, I've always called it beast.conf, but I believe apache will check for anything in that directory when it starts up
Thanks,
Guy
04-05-2013 07:14 AM
Guy,
Thanks again!
Thank you,
Justin Ferello
Technical Support Specialist
KBZ, a Cisco Authorized Distributor
http://www.kbz.com
e/v: justin.ferello@kbz.com
04-05-2013 11:21 AM
Guy,
I put this on my VCS and found that certain calls were failing. I thought this would only affect Apache, which would be the web management portal, right? As soon as I removed the conf file and restarted httpd these failed calls started working.
Thank you,
Justin Ferello
Technical Support Specialist
KBZ, a Cisco Authorized Distributor
http://www.kbz.com
e/v: justin.ferello@kbz.com
04-05-2013 11:46 AM
Oh, that's very strange, we are running this in our office and not seeing any problems, and I know a couple of customers put it in too.
I'd only expect it to affect apache too. Though we may use apache internally for certain things. Are the calls using any CPL or anything else, that's not just a straight a to b call with search rules? What VCS version is this? And did you put in the lines as above or alter them?
I'm out on training next week, but I'll forward the email on to Tomo, and hope he could take a look at this.
Sorry about that, I was expecting it to have any bad affects as we'd been running fine with it.
Thanks,
Guy
04-05-2013 12:48 PM
Guy,
Thanks for the feedback. I did use a different line though, one that was suggested by the link you posted:
SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH
Maybe that had something to do with it? I will try the exact one you put and try the test again.
Thank you,
Justin Ferello
Technical Support Specialist
KBZ, a Cisco Authorized Distributor
http://www.kbz.com
e/v: justin.ferello@kbz.com
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide