Active IQ Unified Manager Discussions

OCI 7.0.1 SSL - SHA-1 vs SHA-256

SMLocke
4,551 Views

Hello, comrades. Our security vulnerabilitiy scanner has flagged my OCI servers with a vulnerability related to SSL and SHA-1 hashing. The remediation measure prescribed is to stop using a SHA-1 hashed certificate, and use one hashed with SHA-256 instead. 

 

I'm currently running 7.0.1, but I've scheduled an upgrade to 7.1 in the next few weeks for reasons unrelated to SSL. I sort of hope this upgrade (and a subsequent switching-off of SSLv3 and switching-on of TLS on the filer) will automagically sort out my SHA-1 vulnerability as well. What does the community think? Wishful thinking?

 

 

2 REPLIES 2

ostiguy
4,542 Views

SMLocke,

 

Ugh.

 

No, OCI 7.1.0's out of the box ciphers have not changed from OCI 7.0.[0-2]

 

Part of the difficulty with ciphers is:

Exportable software can only ship with certain ones.

Java 7 defaults to TLS 1.0 enabled, TLS 1.1 and 1.2 disabled. Certain ciphers won't work with TLS 1.0

 

OCI 7.0.3 is actually chronologically more recent than 7.1.0. In 7.0.3, we changed the default ciphers to

 

TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA

 

Notice how those end in SHA, and not SHA___ ?

 

So, 7.0.3 moves away from ciphers that use RC4 because that is a bad thing. It doesn't change the picture on using SHA-1.

 

Aside - I have a BA in Political Science. Keep that in mind before any crypto advice from me

 

I actually in my testing have built a .xls of the various ciphers Java supports, which work with which TLS version, and which are exportable.

 

SHA256 and higher *only* work with TLS 1.2, which means if you are using Java 7 with a default configuration, you will break the client if you switch ciphers.

 

Can you guarantee that:

All Java 7 installs have been adjusted to enable TLS 1.2 (checkbox in Java control panel) OR

All OCI Java client users are using Java 8, which has TLS 1.2 enabled by default

 

if so navigate to,

 

..\SANscreen\jboss\server\onaro\deploy\jbossweb.sar

 

Make a backup of server.xml  to your My Documents folder, then edit server.xml

 

Look for

ciphers = "SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA"

 

7.1.0 / 7.0.[0-2]

 

will have that line - as discussed above, the ciphers are different in 7.0.3

 

Change the ciphers line to

ciphers = "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256"

 

Save the file

Restart the "SANscreen Server" service

In 3-5 minutes, all the services should be back online. Confirm you can get into the OCI Java client, and confirm all OCI Acquisition Units are talking to OCI

 

If things break, remember that you took cipher advice from a pre-sales engineer with a liberal arts degree, and laugh. And back out the change you made, restart the services, and open a support case

 

Hope this helps

 

Matt

 

 

 

SMLocke
4,526 Views

Matt, this is super helpful, and I'll definitely need to bookmark this for when we actually get 7.1 installed. The OCI client is really only used by a handful of people, and can only be gotten-to in one of two ways, so I bet I could control the Java environment around it (hashtag Famous Last Words). 

 

From one liberal arts undergraduate to another, I thank you.

Public