VMware Networking Community
ymunakata
Contributor
Contributor
‎09-02-2015 03:12 AM

cipher algorithms of ESG loadbalancer

I would like you to clear which cipher algorithms ESG loadbalancer with 6.1 supports.

We can select cipher option to negotiate SSL handshake under application profile of ESG loadbalancer. ESG loadbalancer gives me just "default" option. I'm not sure which cipher algorithms ESG supports.

Any input would help me understand ESG loadbalancer.

Thanks in advance,

Yuichiro

0 Kudos
7 Replies
ymunakata
Contributor
Contributor
‎09-02-2015 10:35 PM

Some sources says NSX comes form Nicra and vShield. I wonder if we should go over vShield feature. Any input would be help me understand cipher algorithm of NSX ESG.

Thanks in advance,

Yuichiro

0 Kudos
larsonm
VMware Employee
VMware Employee
‎09-03-2015 07:23 AM

Yes, the acquisition of Nicira in 2012 was integrated with VMware's vShield products to become vCloud Networking and Security (vCNS).  The vCNS components have been superseded by NSX.

ESG uses ciphers included with openssl.  The openssl version depends on the version of NSX.

RC4-MD5, AES128-SHA, AES256-SHA and DES-CBC-SHA are the supported ciphers for the SSL VPN.  It would be logical to think that the same openssl libraries would be used for both, but that is strictly an assumption and may not be accurate.

The "default" value uses the following cipher string:

AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH

If you want to disable SSLv3, use this string:

AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH:!SSLv3:ALL

Details of these strings are referenced in openssl documentation.

The folks who have deeper insights into the specifics on this are likely at VMworld at the moment.

ymunakata
Contributor
Contributor
‎09-03-2015 11:47 PM

Thank you very much for your attention to me. The information you provided would help me understand. I'll go over openssl something to figure out as well.

Thanks again,

Yuichiro

0 Kudos
ymunakata
Contributor
Contributor
‎09-13-2015 10:53 PM

Does ESG have any clue to change default cipher suite? ESG is offering just default option for cipher. Any input would help me understand that.

Thanks in advane,

Yuichiro

0 Kudos
ddesmidt
VMware Employee
VMware Employee
‎09-13-2015 11:49 PM

Larsonm aslready gave an answer.

As explained, the default cipher is: AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH (takes the strongest of AES first. Then the strongest of any cipher but RC4. At last the strongest of RC4. And in any case it will accept a client with no encryption neither authentication).

The syntax used to specify the supported cipher is the one from OpenSSL: https://www.openssl.org/docs/apps/ciphers.html

For instance:

To allow only TLSv1.2, use the cipher “!SSLv3:ALL”

Note: This cipher does not allow TLSv1.0 nor TLSv1.1.

Dimitri

0 Kudos
ymunakata
Contributor
Contributor
‎09-14-2015 02:40 AM

Thank you very much for your attention to me again.

Which interface is it available to change the cipher string you provided. I just login to my v-shield to check on what you offered I cannot find a clue to change that.

Thanks in advance,

Yuichiro

0 Kudos
ddesmidt
VMware Employee
VMware Employee
‎09-14-2015 03:27 AM

You edit your Application Profile, and you enter your cipher list in the field "Cipher".

Dimitri

0 Kudos