Solved: security config modify doesn't work as expected

El_Feuro · ‎2023-06-27

Hi,

I have problem to enable the right cipher suites in ONTAP 9.12.1P2 and 19.13.1.

The command:
security config modify -interface SSL -supported-ciphers ECDHE:!PSK:!DHE:!LOW:!aNULL:!EXP:!eNull:!3DES:!kdH:!kECDd:!SHA

enables following cipher suites:

TLS_ECDHE_ECDSA_WITH_AES_128_CCM,
TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_CCM,
TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_AES_128_GCM_SHA256,
TLS_AES_256_GCM_SHA384

I don't want the red marked cipher suites to be enabled so I tried this command:

security config modify -interface SSL -supported-cipher-suites TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384

But the result is:

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

The both cipher suites TLS_AES_128_GCM_SHA256 and TLS_AES_256_GCM_SHA384 are not enabled.

No matter how I try to enable this both cipher suites it doesn't work. Only the first command in this post works.

Does anybody know the reason or solution for this strange behavior?

Haseeb · ‎2023-07-14

Hi,

You can set the cipher and cipher suite with a single command.

E.g:

security config modify -interface SSL -supported-protocols TLSv1.3,TLSv1.2 -supported-ciphers ECDHE:!PSK:!DHE:!LOW:!aNULL:!EXP:!eNull:!3DES:!kdH:!kECDd:!SHA -supported-cipher-suites TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384

By specifying the cipher and cipher suite we'd like above we'd get the following result:

cluster1::*> security config show
Cluster    Supported
FIPS Mode  Protocols Supported Cipher Suites
---------- --------- ----------------------------------------------------------
false      TLSv1.3,  TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
           TLSv1.2   TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
                     TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
                     TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
                     TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
                     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
                     TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
                     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
                     TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384,
                     TLS_CHACHA20_POLY1305_SHA256

I hope this helps with your issue.

View solution in original post

Haseeb · ‎2023-07-14

Hi,

You can set the cipher and cipher suite with a single command.

E.g:

security config modify -interface SSL -supported-protocols TLSv1.3,TLSv1.2 -supported-ciphers ECDHE:!PSK:!DHE:!LOW:!aNULL:!EXP:!eNull:!3DES:!kdH:!kECDd:!SHA -supported-cipher-suites TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384

By specifying the cipher and cipher suite we'd like above we'd get the following result:

cluster1::*> security config show
Cluster    Supported
FIPS Mode  Protocols Supported Cipher Suites
---------- --------- ----------------------------------------------------------
false      TLSv1.3,  TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
           TLSv1.2   TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
                     TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
                     TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
                     TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
                     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
                     TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
                     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
                     TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384,
                     TLS_CHACHA20_POLY1305_SHA256

I hope this helps with your issue.

security config modify doesn't work as expected

Join us in Vegas, September 23-25