Developers Documentation

×

Warning

0 error for file:https://clearos.com/dokuwiki2/lib/exe/css.php?t=dokuwiki&tseed=82873f9c9a1f5784b951644363f20ef8

User Tools

Site Tools


TLS/SSL Server Supports The Use of Static Key Ciphers

'The server is configured to support ciphers known as static key ciphers. These ciphers don't support “Forward Secrecy”. In the new specification for HTTP/2, these ciphers have been blacklisted.'

ClearCenter response

This protocol is needed to support older browsers in the ability to update to newer browsers.

Short response

Because ClearOS is often used as a first line of defense for weaker systems, static-based ciphers are still included in ClearOS for backwards compatibility. This enables newly provisioned, legacy systems to get updates and fixes in order to modernize them. It is the browser that will negotiate lower or higher forms of encryption. To ensure that you communications are not compromised, please update ensure that your browser is up to date. Modern browsers can only use more modern methods which preclude static ciphers which have been disallowed in HTTPv2.

Long response

Because ClearOS is often used as a first line of defense for weaker systems, static-based ciphers are still included in ClearOS for backwards compatibility. This enables newly provisioned, legacy systems to get updates and fixes in order to modernize them. It is the browser that will negotiate lower or higher forms of encryption. To ensure that you communications are not compromised, please update ensure that your browser is up to date. Modern browsers can only use more modern methods which preclude static ciphers which have been disallowed in HTTPv2.

The risk here is in the data exchange being snooped by an outside listener who can then use the entirety of the message as a basis for decryption. Modern and updated systems will not be affected and the protocol is included in order to give older machines the opportunity to use tools to upgrade themselves. If your system is not a gateway or infrastructure piece to systems which need a path to upgrade to more modern systems, feel free to disable this protocol.

Resolution

If your ClearOS system is not involved with client workstations that may need to update to newer versions or patch levels (ie. not a gateway or proxy for older workstations looking to get updates), you can likely disable 3DES without any loss of function to older computers that HAVE already achieved update status. To disable 3DES, repeat this process for both Webconfig and the Web Server app (if installed):

Modify the following files for Webconfig (ClearOS 7):

/usr/clearos/sandbox/etc/httpd/conf.d/framework.conf
/usr/clearos/sandbox/etc/httpd/conf.d/ssl.conf

Modify the 'SSLCipherSuite' to be the following (feel free to comment the existing and add the following):

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

Test the connection with the following:

openssl s_client -cipher ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES -connect localhost:81

You should get output similar to this indicating that these methods are not allowed:

CONNECTED(00000003)
140259018504080:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:769:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 141 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1538578149
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

Make sure to restart Webconfig (and httpd for Web Server, if installed and reconfigured) to make sure your services go into effect:

systemctl restart webconfig
systemctl restart httpd
content/en_us/kb_3rdparty_rapid_7_tlsssl_supports_static_key_ciphers.txt · Last modified: 2018/10/03 10:30 by dloper

https://clearos.com/dokuwiki2/lib/exe/indexer.php?id=content%3Aen_us%3Akb_3rdparty_rapid_7_tlsssl_supports_static_key_ciphers&1569165071