OCI 7.0.1 SSL - SHA-1 vs SHA-256

SMLocke — Thu, 05 Jun 2025 04:12:42 GMT

Hello, comrades. Our security vulnerabilitiy scanner has flagged my OCI servers with a vulnerability related to SSL and SHA-1 hashing. The remediation measure prescribed is to stop using a SHA-1 hashed certificate, and use one hashed with SHA-256 instead.

I'm currently running 7.0.1, but I've scheduled an upgrade to 7.1 in the next few weeks for reasons unrelated to SSL. I sort of hope this upgrade (and a subsequent switching-off of SSLv3 and switching-on of TLS on the filer) will automagically sort out my SHA-1 vulnerability as well. What does the community think? Wishful thinking?

Re: OCI 7.0.1 SSL - SHA-1 vs SHA-256

ostiguy — Wed, 16 Sep 2015 14:49:24 GMT

SMLocke,

Ugh.

No, OCI 7.1.0's out of the box ciphers have not changed from OCI 7.0.[0-2]

Part of the difficulty with ciphers is:

Exportable software can only ship with certain ones.

Java 7 defaults to TLS 1.0 enabled, TLS 1.1 and 1.2 disabled. Certain ciphers won't work with TLS 1.0

OCI 7.0.3 is actually chronologically more recent than 7.1.0. In 7.0.3, we changed the default ciphers to

TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA

Notice how those end in SHA, and not SHA___ ?

So, 7.0.3 moves away from ciphers that use RC4 because that is a bad thing. It doesn't change the picture on using SHA-1.

Aside - I have a BA in Political Science. Keep that in mind before any crypto advice from me

I actually in my testing have built a .xls of the various ciphers Java supports, which work with which TLS version, and which are exportable.

SHA256 and higher *only* work with TLS 1.2, which means if you are using Java 7 with a default configuration, you will break the client if you switch ciphers.

Can you guarantee that:

All Java 7 installs have been adjusted to enable TLS 1.2 (checkbox in Java control panel) OR

All OCI Java client users are using Java 8, which has TLS 1.2 enabled by default

if so navigate to,

..\SANscreen\jboss\server\onaro\deploy\jbossweb.sar

Make a backup of server.xml to your My Documents folder, then edit server.xml

Look for

ciphers = "SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA"

7.1.0 / 7.0.[0-2]

will have that line - as discussed above, the ciphers are different in 7.0.3

Change the ciphers line to

ciphers = "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256"

Save the file

Restart the "SANscreen Server" service

In 3-5 minutes, all the services should be back online. Confirm you can get into the OCI Java client, and confirm all OCI Acquisition Units are talking to OCI

If things break, remember that you took cipher advice from a pre-sales engineer with a liberal arts degree, and laugh. And back out the change you made, restart the services, and open a support case

Hope this helps

Matt

Re: OCI 7.0.1 SSL - SHA-1 vs SHA-256

SMLocke — Thu, 28 May 2015 21:33:58 GMT

Matt, this is super helpful, and I'll definitely need to bookmark this for when we actually get 7.1 installed. The OCI client is really only used by a handful of people, and can only be gotten-to in one of two ways, so I bet I could control the Java environment around it (hashtag Famous Last Words).

From one liberal arts undergraduate to another, I thank you.

topic Re: OCI 7.0.1 SSL - SHA-1 vs SHA-256 in Active IQ Unified Manager Discussions

OCI 7.0.1 SSL - SHA-1 vs SHA-256

Re: OCI 7.0.1 SSL - SHA-1 vs SHA-256

Re: OCI 7.0.1 SSL - SHA-1 vs SHA-256