Disabling SSL/TLS ciphers per protocol.

Resolved from fix pack
15In response to security vulnerabilities, you can disable specific SSL/TLS ciphers per protocol.

About this task

TLS/SSL protocols secure the transfer of data between the client and the server through authentication and encryption and integrity. To secure data that is being transferred, SSL/TLS uses one or more ciphers. A cipher set can be a combination of authentication, encryption, and message authentication code (MAC) algorithms. All of which are used during the negotiation of security settings for a SSL/TLS connection and for the secure transfer of data. Over time, vulnerabilities can be found in specific protocols and ciphers. Therefore, you can disable those unsafe and insecure ciphers per protocol, through configuration of one or more of the following properties within the configuration file sslciphers.conf. The property value is a comma-separated list of strings that disables the related ciphers.
  • sslv3_remove
  • tls10_remove
  • tls11_remove
  • tls12_remove
  • Functionality delivered in fix pack
32tls13_remove

To disable SSL/TLS ciphers per protocol, complete the following steps.

Procedure

  1. If the sslciphers.conf file does not exist, then create the file in the following locations.
    • On Linux, the file is located in $NCHOME/etc/security/sslciphers.conf
    • On Windows, the file is located in %NCHOME%\ini\security\sslciphers.conf
  2. Open the sslciphers.conf file.
    • On Linux, open $NCHOME/etc/security/sslciphers.conf
    • On Windows, open %NCHOME%\ini\security\sslciphers.conf
  3. Within the sslciphers.conf file, depending on which cipher you must disable, edit one or more of the properties.
    For example,
    • sslv3_remove=128 disables any SSL v3 cipher that contains the substring 128. The following sample log file extract, displays some of the results after you run this configuration.
      2017-10-04T13:30:34: Information: I-UNK-000-000: 
      CipherClean: SSL protocol GSK_V3_CIPHER_SPECS_EX cipher 
      [TLS_RSA_WITH_AES_128_CBC_SHA] 
      removed because of rule '128' in sslciphers.conf
      2017-10-04T13:30:34: Information: I-UNK-000-000: 
      CipherClean: SSL protocol GSK_V3_CIPHER_SPECS_EX cipher 
      [TLS_RSA_WITH_AES_256_CBC_SHA] 
      OK - no sslciphers.conf rules to remove it
      2017-10-04T13:30:34: Information: I-UNK-000-000: 
      CipherClean: SSL protocol GSK_V3_CIPHER_SPECS_EX cipher 
      [TLS_RSA_WITH_3DES_EDE_CBC_SHA] 
      removed because of rule '3DES' (Sweet32 vulnerability mitigation)
      In this log file extract, the first cipher was removed because it contained the string 128. The second cipher was retained because this cipher did not match any rule. The third cipher was removed because it contained the substring 3DES that is a hardcoded rule due to the Sweet32 vulnerability mitigation and all 3DES ciphers are disabled by default.
    • tls12_remove="TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",384 disables the specific TLS v1.2. cipher entry within the double quotation marks. Some ciphers are a substring of another cipher. For example, TLS v1.2. includes the following two ciphers.
      • TLS_RSA_WITH_AES_128_CBC_SHA
      • TLS_RSA_WITH_AES_128_CBC_SHA256
      For these two sample ciphers, if the configuration file only dealt with substrings, you would be unable to disable TLS_RSA_WITH_AES_128_CBC_SHA and leave TLS_RSA_WITH_AES_128_CBC_SHA256 enabled. Therefore, the configuration file accepts entries that are enclosed in double quotation marks, these entries must be exact string matches and not substring matches. The following log file extract, displays some of the results after you run this configuration. In this log file extract, the first cipher was removed but the third cipher remains.
      2017-10-04T13:30:34: Information: I-UNK-000-000: 
      CipherClean: SSL protocol GSK_TLSV12_CIPHER_SPECS_EX cipher 
      [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA] 
      removed because of rule '"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA"' 
      in sslciphers.conf
      2017-10-04T13:30:34: Information: I-UNK-000-000: 
      CipherClean: SSL protocol GSK_TLSV12_CIPHER_SPECS_EX cipher 
      [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA] 
      OK - no sslciphers.conf rules to remove it
      2017-10-04T13:30:34: Information: I-UNK-000-000: 
      CipherClean: SSL protocol GSK_TLSV12_CIPHER_SPECS_EX cipher 
      [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256] 
      OK - no sslciphers.conf rules to remove it
    • tls11_remove=_ removes all ciphers for TLS v1.1 and disables the protocol. The following log file extract, displays some of the results after you run this configuration.
      2017-10-04T13:45:31: Information: I-UNK-000-000: 
      CipherClean: sslciphers.conf file property tls11_remove contains value [_])
      2017-10-04T13:45:31: Information: I-UNK-000-000: 
      CipherClean: SSL protocol GSK_TLSV11_CIPHER_SPECS_EX cipher 
      [TLS_RSA_WITH_AES_128_CBC_SHA] 
      removed because of rule '_' in sslciphers.conf
      2017-10-04T13:45:31: Information: I-UNK-000-000: 
      CipherClean: SSL protocol GSK_TLSV11_CIPHER_SPECS_EX cipher 
      [TLS_RSA_WITH_AES_256_CBC_SHA] 
      removed because of rule '_' in sslciphers.conf
      2017-10-04T13:45:31: Information: I-UNK-000-000: 
      CipherClean: SSL protocol GSK_TLSV11_CIPHER_SPECS_EX cipher 
      [TLS_RSA_WITH_3DES_EDE_CBC_SHA] 
      removed because of rule '3DES' (Sweet32 vulnerability mitigation)
      2017-10-04T13:45:31: Information: I-UNK-000-000: 
      CipherClean: Calling gsk_attribute_set_buffer
      ( context = 0x2430870, GSK_TLSV11_CIPHER_SPECS_EX, [] )
      2017-10-04T13:45:31: Information: I-UNK-000-000: 
      CipherClean: GSK_TLSV11_CIPHER_SPECS_EX setting returned 0 )
      2017-10-04T13:45:31: Information: I-UNK-000-000: 
      CipherClean: Re-calling gsk_attribute_get_buffer
      ( context = 0x2430870, GSK_TLSV11_CIPHER_SPECS_EX )
      2017-10-04T13:45:31: Information: I-UNK-000-000: 
      CipherClean: GSK_TLSV11_CIPHER_SPECS_EX returned 0, size=1 str=[] )
      If a protocol does not offer ciphers, then clients cannot connect by using that protocol, which disables the whole protocol.

What to do next

If you want to re-enable a cipher, remove the entry from the sslciphers.conf file and restart any existing ObjectServer.