VMware Cloud Community
scott_mitchell1
Contributor
Contributor

Disable weak SSL ciphers <128bit

Is it possible to disable weak SSL ciphers on both the webserver and the agents?

I would like to disable anything less than 128bit.

Thanks,

Scott


Here is the list of SSL ciphers supported by the remote server :

Low Strength Ciphers (< 56-bit key)
TLSv1
EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export

Medium Strength Ciphers (>= 56-bit and < 112-bit key)
TLSv1
EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES(56) Mac=SHA1
DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1

High Strength Ciphers (>= 112-bit key)
TLSv1
EDH-RSA-DES-CBC3-SHA Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
DHE-RSA-AES128-SHA Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
AES128-SHA Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1

The fields above are :

{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}
Reply
0 Kudos
3 Replies
bclark_hyperic
Enthusiast
Enthusiast

Hmmm....there has got to be a way to do this, at the very least on the server side. If this were a Tomcat server, I'd add the "ciphers" attribute to my HTTPS connector block (in my server.xml file) and have a comma-separated list of the ciphers that I wanted to be available for use.

I don't know how to do this in JBoss though, which is what the Hyperic server runs in.

Maybe there is a way to remove the low and medium ciphers from the JVM itself? Maybe via a Java runtime option? If the Hyperic Agent configuration doesn't support this via configuration, that may be the only way to do this.

Brian
Reply
0 Kudos
rchoquette
Contributor
Contributor

In order to achieve this I made a simple change:

in /<hyperic-server install dir>/conf/templates/server.xml I added:

ciphers="SSL_RSA_WITH_RC4_128_MD5" right after sslProtocol = "TLS" and restarted the hyperic server.
Reply
0 Kudos
abhishek1388
Contributor
Contributor

This change doesn't hold good for Hyperic 4.4. Can anyone help me in controlling cipher suites on HQ 4.4 version?

Reply
0 Kudos