Solved

OpenSSL How to Disable Ciphers

Posted on 2012-04-11
11
3,296 Views
Last Modified: 2012-04-12
Hi,
I need to disable certain ciphers on my Linux servers following a Nessus vulnerability assessment scan. The Nessus report lists specific weak and medium ciphers that it doesn't like. For instance, here are the medium ciphers I need to disable:
Medium Strength Ciphers (>= 56-bit and < 112-bit key)
DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1
EXP1024-DES-CBC-SHA Kx=RSA(1024) Au=RSA Enc=DES(56) Mac=SHA1 export
EXP1024-RC4-SHA Kx=RSA(1024) Au=RSA Enc=RC4(56) Mac=SHA1 export
DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1

I haven't been able to find much in the way of documentation as to how to do this. Some of what I have found doesn't seem to work. I came across this command that is supposed to enable only TLSv1/SSLv3 ciphers of 128 bits or higher, and disables all others, and then sorts them by strength so that the strongest ciphers would be tried first:
'openssl ciphers -v 'TLSv1+HIGH:!SSLv2:!aNULL:!eNULL:!3DES:@STRENGTH'' - when I run this command this is what I get back:
$ openssl ciphers -v 'TLSv1+HIGH:!SSLv2:!aNULL:!eNULL:!3DES:@STRENGTH'
DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-DSS-AES256-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA1
AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-DSS-AES128-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA1
AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1

However, if I then check to see what ciphers are enabled, it displays all the ciphers including the ones that I thought were disabled by the command above:
$ openssl ciphers -v 'ALL:eNULL'
ADH-AES256-SHA          SSLv3 Kx=DH       Au=None Enc=AES(256)  Mac=SHA1
DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-DSS-AES256-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA1
AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
ADH-AES128-SHA          SSLv3 Kx=DH       Au=None Enc=AES(128)  Mac=SHA1
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-DSS-AES128-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA1
AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
ADH-DES-CBC3-SHA        SSLv3 Kx=DH       Au=None Enc=3DES(168) Mac=SHA1
ADH-DES-CBC-SHA         SSLv3 Kx=DH       Au=None Enc=DES(56)   Mac=SHA1
EXP-ADH-DES-CBC-SHA     SSLv3 Kx=DH(512)  Au=None Enc=DES(40)   Mac=SHA1 export
ADH-RC4-MD5             SSLv3 Kx=DH       Au=None Enc=RC4(128)  Mac=MD5
EXP-ADH-RC4-MD5         SSLv3 Kx=DH(512)  Au=None Enc=RC4(40)   Mac=MD5  export
EDH-RSA-DES-CBC3-SHA    SSLv3 Kx=DH       Au=RSA  Enc=3DES(168) Mac=SHA1
EDH-RSA-DES-CBC-SHA     SSLv3 Kx=DH       Au=RSA  Enc=DES(56)   Mac=SHA1
EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512)  Au=RSA  Enc=DES(40)   Mac=SHA1 export
EDH-DSS-DES-CBC3-SHA    SSLv3 Kx=DH       Au=DSS  Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC-SHA     SSLv3 Kx=DH       Au=DSS  Enc=DES(56)   Mac=SHA1
EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512)  Au=DSS  Enc=DES(40)   Mac=SHA1 export
DES-CBC3-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=SHA1
DES-CBC-SHA             SSLv3 Kx=RSA      Au=RSA  Enc=DES(56)   Mac=SHA1
EXP-DES-CBC-SHA         SSLv3 Kx=RSA(512) Au=RSA  Enc=DES(40)   Mac=SHA1 export
EXP-RC2-CBC-MD5         SSLv3 Kx=RSA(512) Au=RSA  Enc=RC2(40)   Mac=MD5  export
RC4-SHA                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=SHA1
RC4-MD5                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5
EXP-RC4-MD5             SSLv3 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5  export
DES-CBC3-MD5            SSLv2 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=MD5
DES-CBC-MD5             SSLv2 Kx=RSA      Au=RSA  Enc=DES(56)   Mac=MD5
EXP-RC2-CBC-MD5         SSLv2 Kx=RSA(512) Au=RSA  Enc=RC2(40)   Mac=MD5  export
RC2-CBC-MD5             SSLv2 Kx=RSA      Au=RSA  Enc=RC2(128)  Mac=MD5
EXP-RC4-MD5             SSLv2 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5  export
RC4-MD5                 SSLv2 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5
NULL-SHA                SSLv3 Kx=RSA      Au=RSA  Enc=None      Mac=SHA1
NULL-MD5                SSLv3 Kx=RSA      Au=RSA  Enc=None      Mac=MD5

What is the correct command syntax to disable specific individual ciphers, and/or what would be the command syntax to disable all the weak and medium strength ciphers?

Thank you,
Jeff
0
Comment
Question by:jpetter
  • 6
  • 5
11 Comments
 
LVL 51

Expert Comment

by:ahoffmann
ID: 37836254
assuming that it is a apache server define the ciphers you want in the SSLCipherSuite directive in your httpd.conf (or its includes)
0
 

Author Comment

by:jpetter
ID: 37836759
Thanks for the suggestion. The OpenSSL is being used with a web server, but I need to know how to disable them in OpenSSL so they don't appear on the next vulnerability scan.

Thanks
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 37836834
> ... but I need to know how to disable them in OpenSSL ..
openssl is the tool to access your web server as client (just like a browser does),
what openssl reports is the configuration provided by the service listening on the port it connects (most likely 443)
and the service listening there is most likely your web server (I guess apache) and not openssl itself
that's why I suggested to properly configure your apache

if you feel that this suggestion is not accurate for whatever reason, please contact your "scanner" and ask what exactly they tested, please post the command for it and also explain which service/process is responsible for that on your site
0
 

Author Comment

by:jpetter
ID: 37836900
Thanks again for the information. It sounds like I don't know how all the piece parts fit together. If I understand you correctly, the installation of OpenSSL does not install ciphers along with it per se, and the ciphers would be installed by/used by the web server, and openssl is simply a tool to interface with these. Is that correct?
0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 500 total points
ID: 37837061
simple answer: yes
long answer: see below

stolen from openssl's man-page:
---
DESCRIPTION
       OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer (SSL
       v2/v3) and Transport Layer Security (TLS v1) network protocols and related
       cryptography standards required by them.

       The openssl program is a command line tool for using the various cryptography
       functions of OpenSSL's crypto library from the shell.  It can be used for

        o  Creation of RSA, DH and DSA key parameters
        o  Creation of X.509 certificates, CSRs and CRLs
        o  Calculation of Message Digests
        o  Encryption and Decryption with Ciphers
        o  SSL/TLS Client and Server Tests
        o  Handling of S/MIME signed or encrypted mail
---

openssl per se do not have ciphers or certificates but knows the algorithms how to create and verify them
i.g. it's the OS' (Linux) or programs (web server, ssh) resposibility to provide certificates, i.e. apache creates it's own certificate using openssl if started with ssl suport but no certificates are found
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 51

Expert Comment

by:ahoffmann
ID: 37837066
BTW, just to understand how security is sold/paid for:
do I understand correctly that you bought a security check (probably PCI compliance check) and you simply got a automatically generated report without further explanations?
0
 

Author Comment

by:jpetter
ID: 37837081
Thanks very much for the quick response. I did see that initially on the man page, but it didn't click - I was thinking about it the wrong way.
0
 

Author Closing Comment

by:jpetter
ID: 37837083
Very quick response with very good information.
0
 

Author Comment

by:jpetter
ID: 37837093
Basically yes. A vulnerability scan runs against a group of servers, and a report gets sent out that includes the vulnerabilities that need to be cleared. Some of them have recommended fixes. For the SSL Weak Cipher vulnerability, we are provided with the ciphers we are to disable. So we do get a little bit of an explanation. The rest is done with Google, and when that fails, on to EE.

Thanks!
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 37837128
may I ask:
is this a automatic scheduled scan?
you do not get reports reviewed by human auditors?
if so, what're the costs?

and keep in mind: security is a process, not a product
0
 

Author Comment

by:jpetter
ID: 37837160
Some are automated, such as PCI, and some are for security reviews, which are not. If we have issues we can go to the security team for some support, and they do review them when we submit our remediation documentation.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now