Management Interface SSL Ciphers

Greetings, Here's the default apache cipher list:

DEFAULT:!aNULL:!eNULL:!LOW:!RC4:!MD5:!EXP

Can you simply append !SSLv3 to the list to disable SSLv3?

tmsh modify sys httpd ssl-ciphersuite 'DEFAULT:!aNULL:!eNULL:!LOW:!RC4:!MD5:!EXP:!SSLv3'
tmsh save sys config
bigstart restart httpd

Looks to have been added to /etc/httpd/conf.d/ssl.conf and SSLv3 no longer negotiates.

SSLCipherSuite DEFAULT:!aNULL:!eNULL:!LOW:!RC4:!MD5:!EXP:!SSLv3

Kevin

Thanks Kevin. To be blunt I think I've not being paying attention. Its all working fine. Cheers

Is there really a cipher suite called SSLv3 for the httpd? It is the SSLv3 protocol that should be disabled entirely, as the two cipher suites supported by that protocol are both insecure.

Please see related thread Disabling SSLv3 for Configuration Utility.

Thanks Jie but I don't see any solution in SOL15702 or the article you link to, for versions prior to 11.5?

Regardless, I'm happy that I can disable SSLv3 by simply specifying

NONE:

Just for the benefit of others, I've implemented just TLS1.2 supported ciphers using this string;

NONE:DHE-RSA-AES256-SHA:AES256-SHA

OpenSSL reports as follows (ignore the SSLv3 output, it's just an OpenSSL 'thing');

$ openssl ciphers -v NONE:DHE-RSA-AES256-SHA:AES256-SHA
DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1

And here's the output from ssldump proving when I connect that only one of these ciphers is used;

$ ssldump -ndX
    New TCP connection 1: 10.11.12.13(50592) <-> 192.168.1.1(443)
    1 1  0.0491 (0.0491)  C>S  Handshake
          ClientHello
            Version 3.1 
            resume [32]=
              13 70 c7 87 b7 5a 78 8d b6 ca fd cc 4d 92 f9 17 
              d0 61 90 36 5b 1b 69 cd f1 e5 e7 f9 5f 2a 5b e1 
            cipher suites
            Unknown value 0xc02b
            Unknown value 0xc02f
            Unknown value 0x9e
            Unknown value 0xcc14
            Unknown value 0xcc13
            Unknown value 0xc00a
            Unknown value 0xc009
            Unknown value 0xc013
            Unknown value 0xc014
            Unknown value 0xc007
            Unknown value 0xc011
            TLS_DHE_RSA_WITH_AES_128_CBC_SHA
            TLS_DHE_DSS_WITH_AES_128_CBC_SHA
            TLS_DHE_RSA_WITH_AES_256_CBC_SHA
            Unknown value 0x9c
            TLS_RSA_WITH_AES_128_CBC_SHA
            TLS_RSA_WITH_AES_256_CBC_SHA
            TLS_RSA_WITH_3DES_EDE_CBC_SHA
            TLS_RSA_WITH_RC4_128_SHA
            TLS_RSA_WITH_RC4_128_MD5
            compression methods
                      NULL
    1 2  0.0513 (0.0022)  S>C  Handshake
          ServerHello
            Version 3.1 
            session_id[32]=
              13 70 c7 87 b7 5a 78 8d b6 ca fd cc 4d 92 f9 17 
              d0 61 90 36 5b 1b 69 cd f1 e5 e7 f9 5f 2a 5b e1 
            cipherSuite         TLS_DHE_RSA_WITH_AES_256_CBC_SHA
            compressionMethod                   NULL

Here's what happens if I try to connect using Firefox configured to use unwanted ciphers;

    1 1  0.0074 (0.0074)  C>S  Handshake
          ClientHello
            Version 3.0 
            cipher suites
            Unknown value 0xff
            SSL_DHE_RSA_WITH_AES_128_CBC_SHA
            SSL_DHE_DSS_WITH_AES_128_CBC_SHA
            Unknown value 0x45
            SSL_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
            SSL_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA
            SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
            SSL_RSA_WITH_AES_128_CBC_SHA
            SSL_DHE_RSA_WITH_AES_128_CBC_SHA256
            SSL_RSA_WITH_3DES_EDE_CBC_SHA
            SSL_RSA_WITH_RC4_128_MD5
            compression methods
                      NULL
    1 2  0.0080 (0.0005)  S>C  Alert
        level           fatal
        value           handshake_failure