03-10-2015 08:59 AM
Hi,
I am wondering if it is possible to configure the SSL/TLS version used by the WSA to establish HTTPS connections to remote webservers.
(eg. no SSLv2, no SSLv3, TLSv1, TLSv1.1, TLSv1.2)
Which versions are supported in general? (in the 8.0.7 and in the 8.5.1 releases?)
Is there another option to limit the usage of cipher suites either? Currently the cipher suites listed below are obviously supported and used. Some of them definitvely lack the desired level of security and are known to be vulnerable to certain attacks.
TLS_DHE_RSA_WITH_AES_256_CBC_SHA |
TLS_DHE_DSS_WITH_AES_256_CBC_SHA |
TLS_RSA_WITH_AES_256_CBC_SHA |
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA |
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA |
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA |
TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA |
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA |
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA |
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA |
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA |
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA |
TLS_RSA_WITH_3DES_EDE_CBC_SHA |
TLS_DHE_RSA_WITH_AES_128_CBC_SHA |
TLS_DHE_DSS_WITH_AES_128_CBC_SHA |
TLS_RSA_WITH_AES_128_CBC_SHA |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA |
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA |
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA |
TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA |
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA |
TLS_RSA_WITH_IDEA_CBC_SHA |
TLS_ECDHE_RSA_WITH_RC4_128_SHA |
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA |
TLS_RSA_WITH_RC4_128_SHA |
TLS_RSA_WITH_RC4_128_MD5 |
TLS_DHE_RSA_WITH_DES_CBC_SHA |
TLS_DHE_DSS_WITH_DES_CBC_SHA |
TLS_RSA_WITH_DES_CBC_SHA |
TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA |
TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA |
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA |
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 |
TLS_RSA_EXPORT_WITH_RC4_40_MD5 |
TLS_RENEGO_PROTECTION_REQUEST |
Kind regards,
Thomas
03-26-2015 04:05 AM
As far as I have figured out, there is no support for TLS 1.1 og 1.2, which is kind of embarrasing in 2015. All major browsers supported TLS 1.2 early 2014.
I'm told unofficially that support will come in release 9. However, no one can say when that release will be available, even in beta.
03-26-2015 07:07 AM
Meanwhile I found some more information about cipher suites and ssl protocol versions supported and used by the WSA.
The cipher suites are listed in the first posting.
Their usage cannot be configured in detail but it seems as if enabling the "FIPS mode" limits the cipher suites which are used. A problem which remains: cisco could not tell me, which ciphers are enabled or disabled exactly.
Here are the some results:
From the AsyncOS for Web 8.0 and 8.5 user guide:
“FIPS Compliance
Federal Information Processing Standards (FIPS) specify requirements for cryptographic modules that are used by all government agencies to protect sensitive but unclassified information.
FIPS help ensure compliance with federal security and data privacy requirements. FIPS, developed by the National Institute for Standards and Technology (NIST), are to use when no voluntary standards exist to meet federal requirements.
The WSA achieves FIPS 140-2 Level 1 compliance in FIPS mode using Cisco Common Cryptographic Module (C3M). By default, FIPS mode is disabled.“
And according to the 7.5 user guide:
“Note: The only SSL version that AsyncOS for Web supports is TLS version 1.”
and
“Note: Enabling FIPS mode limits the cipher suites the Web Security appliance uses when connecting to destination web servers. This may prevent connectivity to web servers which do not implement ciphers required by FIPS.”
So some things seem clear to me now:
Does anyone have additional information on the FIPS mode?
03-27-2015 03:19 AM
An idea is to run SSL Labs test for browsers https://www.ssllabs.com/ssltest/viewMyClient.html
Run the test with and without SSL WSA Proxy and you see the difference.
04-21-2015 02:45 AM
Hi Simon,
yes, I aready did that. The list of cipher suites shown above is derived from ssllabs with the ssl proxy being enabled. ssl is decrypted by the wsa as the connection is established between wsa and the webserver.
When it is disabled, the cipher suites that are used depend on the browser and the webserver as the connection ist established between them and it is only passed through the wsa without any interference by the wsa itself.
To test which cipher suites are used when ssl proxy is enabled and additionally it runs in fips mode I could also use ssllabs, but that would require enabling fips mode in production environment without knowing what will happen exactly. So that is not an option for now.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide