In response to security vulnerabilities, you can disable specific
SSL/TLS ciphers per protocol.
About this task
TLS/SSL protocols secure the transfer of data between the client and the server through
authentication and encryption and integrity. To secure data that is being transferred, SSL/TLS uses
one or more ciphers. A cipher set can be a combination of authentication, encryption, and message
authentication code (MAC) algorithms. All of which are used during the negotiation of security
settings for a SSL/TLS connection and for the secure transfer of data. Over time, vulnerabilities
can be found in specific protocols and ciphers. Therefore, you can disable those unsafe and insecure
ciphers per protocol, through configuration of one or more of the following properties within the
configuration file
sslciphers.conf
. The property value is a comma-separated list of
strings that disables the related ciphers.
sslv3_remove
tls10_remove
tls11_remove
tls12_remove
tls13_remove
To disable SSL/TLS ciphers per protocol, complete the following steps.
Procedure
-
If the
sslciphers.conf
file does not exist, then create the file in the
following locations.
- On Linux, the file is located in
$NCHOME/etc/security/sslciphers.conf
- On Windows, the file is located in
%NCHOME%\ini\security\sslciphers.conf
-
Open the
sslciphers.conf
file.
- On Linux, open $NCHOME/etc/security/sslciphers.conf
- On Windows, open %NCHOME%\ini\security\sslciphers.conf
-
Within the
sslciphers.conf
file, depending on which cipher you must disable,
edit one or more of the properties.
For example,
sslv3_remove=128
disables any SSL v3 cipher that contains the substring
128
. The following sample log file extract, displays some of the results after you
run this configuration.
2017-10-04T13:30:34: Information: I-UNK-000-000:
CipherClean: SSL protocol GSK_V3_CIPHER_SPECS_EX cipher
[TLS_RSA_WITH_AES_128_CBC_SHA]
removed because of rule '128' in sslciphers.conf
2017-10-04T13:30:34: Information: I-UNK-000-000:
CipherClean: SSL protocol GSK_V3_CIPHER_SPECS_EX cipher
[TLS_RSA_WITH_AES_256_CBC_SHA]
OK - no sslciphers.conf rules to remove it
2017-10-04T13:30:34: Information: I-UNK-000-000:
CipherClean: SSL protocol GSK_V3_CIPHER_SPECS_EX cipher
[TLS_RSA_WITH_3DES_EDE_CBC_SHA]
removed because of rule '3DES' (Sweet32 vulnerability mitigation)
In
this log file extract, the first cipher was removed because it contained the string
128
. The second cipher was retained because this cipher did not match any rule. The
third cipher was removed because it contained the substring 3DES
that is a
hardcoded rule due to the Sweet32
vulnerability mitigation and all
3DES
ciphers are disabled by default.
tls12_remove="TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",384
disables the specific
TLS v1.2. cipher entry within the double quotation marks. Some ciphers are a substring of another
cipher. For example, TLS v1.2. includes the following two ciphers.
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
For these two sample ciphers, if the configuration file only dealt with substrings, you would
be unable to disable TLS_RSA_WITH_AES_128_CBC_SHA
and leave
TLS_RSA_WITH_AES_128_CBC_SHA256
enabled. Therefore, the configuration file accepts
entries that are enclosed in double quotation marks, these entries must be exact string matches and
not substring matches. The following log file extract, displays some of the results after you run
this configuration. In this log file extract, the first cipher was removed but the third cipher
remains.2017-10-04T13:30:34: Information: I-UNK-000-000:
CipherClean: SSL protocol GSK_TLSV12_CIPHER_SPECS_EX cipher
[TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA]
removed because of rule '"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA"'
in sslciphers.conf
2017-10-04T13:30:34: Information: I-UNK-000-000:
CipherClean: SSL protocol GSK_TLSV12_CIPHER_SPECS_EX cipher
[TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA]
OK - no sslciphers.conf rules to remove it
2017-10-04T13:30:34: Information: I-UNK-000-000:
CipherClean: SSL protocol GSK_TLSV12_CIPHER_SPECS_EX cipher
[TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256]
OK - no sslciphers.conf rules to remove it
tls11_remove=_
removes all ciphers for TLS v1.1 and disables the protocol. The
following log file extract, displays some of the results after you run this
configuration.2017-10-04T13:45:31: Information: I-UNK-000-000:
CipherClean: sslciphers.conf file property tls11_remove contains value [_])
2017-10-04T13:45:31: Information: I-UNK-000-000:
CipherClean: SSL protocol GSK_TLSV11_CIPHER_SPECS_EX cipher
[TLS_RSA_WITH_AES_128_CBC_SHA]
removed because of rule '_' in sslciphers.conf
2017-10-04T13:45:31: Information: I-UNK-000-000:
CipherClean: SSL protocol GSK_TLSV11_CIPHER_SPECS_EX cipher
[TLS_RSA_WITH_AES_256_CBC_SHA]
removed because of rule '_' in sslciphers.conf
2017-10-04T13:45:31: Information: I-UNK-000-000:
CipherClean: SSL protocol GSK_TLSV11_CIPHER_SPECS_EX cipher
[TLS_RSA_WITH_3DES_EDE_CBC_SHA]
removed because of rule '3DES' (Sweet32 vulnerability mitigation)
2017-10-04T13:45:31: Information: I-UNK-000-000:
CipherClean: Calling gsk_attribute_set_buffer
( context = 0x2430870, GSK_TLSV11_CIPHER_SPECS_EX, [] )
2017-10-04T13:45:31: Information: I-UNK-000-000:
CipherClean: GSK_TLSV11_CIPHER_SPECS_EX setting returned 0 )
2017-10-04T13:45:31: Information: I-UNK-000-000:
CipherClean: Re-calling gsk_attribute_get_buffer
( context = 0x2430870, GSK_TLSV11_CIPHER_SPECS_EX )
2017-10-04T13:45:31: Information: I-UNK-000-000:
CipherClean: GSK_TLSV11_CIPHER_SPECS_EX returned 0, size=1 str=[] )
If
a protocol does not offer ciphers, then clients cannot connect by using that protocol, which
disables the whole protocol.
What to do next
If you want to re-enable a cipher, remove the entry from the
sslciphers.conf
file and restart any existing
ObjectServer.