2015-05-28 01:14 PM
Hello, comrades. Our security vulnerabilitiy scanner has flagged my OCI servers with a vulnerability related to SSL and SHA-1 hashing. The remediation measure prescribed is to stop using a SHA-1 hashed certificate, and use one hashed with SHA-256 instead.
I'm currently running 7.0.1, but I've scheduled an upgrade to 7.1 in the next few weeks for reasons unrelated to SSL. I sort of hope this upgrade (and a subsequent switching-off of SSLv3 and switching-on of TLS on the filer) will automagically sort out my SHA-1 vulnerability as well. What does the community think? Wishful thinking?
2015-05-28 01:48 PM - edited 2015-09-16 07:49 AM
No, OCI 7.1.0's out of the box ciphers have not changed from OCI 7.0.[0-2]
Part of the difficulty with ciphers is:
Exportable software can only ship with certain ones.
Java 7 defaults to TLS 1.0 enabled, TLS 1.1 and 1.2 disabled. Certain ciphers won't work with TLS 1.0
OCI 7.0.3 is actually chronologically more recent than 7.1.0. In 7.0.3, we changed the default ciphers to
TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA
Notice how those end in SHA, and not SHA___ ?
So, 7.0.3 moves away from ciphers that use RC4 because that is a bad thing. It doesn't change the picture on using SHA-1.
Aside - I have a BA in Political Science. Keep that in mind before any crypto advice from me
I actually in my testing have built a .xls of the various ciphers Java supports, which work with which TLS version, and which are exportable.
SHA256 and higher *only* work with TLS 1.2, which means if you are using Java 7 with a default configuration, you will break the client if you switch ciphers.
Can you guarantee that:
All Java 7 installs have been adjusted to enable TLS 1.2 (checkbox in Java control panel) OR
All OCI Java client users are using Java 8, which has TLS 1.2 enabled by default
if so navigate to,
Make a backup of server.xml to your My Documents folder, then edit server.xml
ciphers = "SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA"
7.1.0 / 7.0.[0-2]
will have that line - as discussed above, the ciphers are different in 7.0.3
Change the ciphers line to
ciphers = "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256"
Save the file
Restart the "SANscreen Server" service
In 3-5 minutes, all the services should be back online. Confirm you can get into the OCI Java client, and confirm all OCI Acquisition Units are talking to OCI
If things break, remember that you took cipher advice from a pre-sales engineer with a liberal arts degree, and laugh. And back out the change you made, restart the services, and open a support case
Hope this helps
2015-05-28 02:33 PM
Matt, this is super helpful, and I'll definitely need to bookmark this for when we actually get 7.1 installed. The OCI client is really only used by a handful of people, and can only be gotten-to in one of two ways, so I bet I could control the Java environment around it (hashtag Famous Last Words).
From one liberal arts undergraduate to another, I thank you.