SSL Weak Cipher
We have a new security product that has detected SSL Weak Cipher strengths. I have been going round and round trying to figure out what the issue might be.
What I am down to is a config option with the OpenSSL. It appears it reads the SSL Cipher strengths from the vhost-ssl.conf file in the \etc\apache2\vhosts.d directory.
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSL v2:+EXP:+eNULL
The above is the default string. I have changed it as follows to eliminate the weak SSLv2.
SSLCipherSuite ALL:!ADH:!EXport56:RC4+RSA:+HIGH:+MEDIUM:+SSLv3:+E XP:+eNULL:-SSLv2
The problem is the server still comes back support encryption less than 128 bit. What options do I need to change to fix this issue?
IS this an OES1 or OES2 server? On what port is the weak cipher being used? When you installed your server, did you enable the option to use certificates from eDirectory?
Similar Messages
-
Failing PCI Compliance Scan - SSL Weak...
Hello,
I currently use the WRVS4400n v2 (latest update) for my small business. I store and transmit data that contains credit card information and need to be PCI compliant. Regardless of which settings I change on the router, like turning off remote management, I keep failing the scan. ControlScan uses Nessus and the results are below (2 vulnerabilities).
I did some research and spent some time with Cisco Sales Chat and they recommended a ASA5500 only to realize that it too had the same vulnerabilities. I did more research and it seemed that the SA520w (I need wireless) would do it but I found a thread on this forum saying that a client who had the SA520w did not pass the scan failed due to SSL vulerability (need v3+ ?). The thread is at https://supportforums.cisco.com/thread./2060512
Question: What router/appliance should I use to be PCI compliant? Three has to be something, we're talking, this is Cisco.
Thank you in advance for your help,
Christophe
Threat ID: 126928
Details:
IP Address: XX.XXX.X.XXX
Host: XX.XXX.X.XXX
Path:
THREAT REFERENCE
Summary:
SSL Weak Cipher Suites Supported
Risk: High (3)
Type: Nessus
Port: 60443
Protocol: TCP
Threat ID: 126928
Information From Target:
Here is the list of weak SSL ciphers supported by the remote server :
Low Strength Ciphers (< 56-bit key)
SSLv2
EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
The fields above are :
{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}
Solution:
Reconfigure the affected application if possible to avoid use of weak
ciphers.Details:
The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all.
Threat ID: 142873
Details:
IP Address: XX.XXX.X.XXX
Host: XX.XXX.X.XXX
Path:
THREAT REFERENCE
Summary:
SSL Medium Strength Cipher Suites Supported
Risk: High (3)
Type: Nessus
Port: 60443
Protocol: TCP
Threat ID: 142873
Information From Target:
Here are the medium strength SSL ciphers supported by the remote server :
Medium Strength Ciphers (>= 56-bit and < 112-bit key)
SSLv2
DES-CBC-MD5 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5
SSLv3
DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1
TLSv1
DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1
The fields above are :
{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}
Solution:
Reconfigure the affected application if possible to avoid use of
medium strength ciphers.Details:
The remote host supports the use of SSL ciphers that offer medium strength encryption, which we currently regard as those with key lengths at least 56 bits and less than 112 bits.Chris,
As i understand right now none of the Small Business router are PCI compliance ever since PCI 3.0 was released. How you overcome this; you'll need to forward any ports you are failing on to a ghost IP.. Ghost ip (any ip address that isn 't being used) If you are using those ports , then you will lose that service as the router isn't PCI 3.0 compliant.
Jason
I do believe the ASA5505 are PCI 3.0 Compliant. -
Hello,
If a box running Oracle is scanned with a vulnerability scanner it finds many vulnerabilities of weak SSL ciphers supported.
TCP:1158 - DES-CBC-SHA (SSLv3) - SSL Weak Cipher Supported
TCP:1158 - DES-CBC-SHA (TLSv1) - SSL Weak Cipher Supported
TCP:1158 - EDH-RSA-DES-CBC-SHA (SSLv3) - SSL Weak Cipher Supported
TCP:1158 - EDH-RSA-DES-CBC-SHA (TLSv1) - SSL Weak Cipher Supported
TCP:1158 - EXP-DES-CBC-SHA (SSLv3) - SSL Weak Cipher Supported
TCP:1158 - EXP-DES-CBC-SHA (TLSv1) - SSL Weak Cipher Supported
TCP:1158 - EXP-EDH-RSA-DES-CBC-SHA (SSLv3) - SSL Weak Cipher Supported
TCP:1158 - EXP-EDH-RSA-DES-CBC-SHA (TLSv1) - SSL Weak Cipher Supported
TCP:1158 - EXP-RC4-MD5 (SSLv3) - SSL Weak Cipher Supported
TCP:1158 - EXP-RC4-MD5 (TLSv1) - SSL Weak Cipher Supported
TCP:1158 - DES-CBC-SHA (SSLv3) - SSL Weak Cipher Strength Supported
TCP:1158 - DES-CBC-SHA (TLSv1) - SSL Weak Cipher Strength Supported
TCP:1158 - EDH-RSA-DES-CBC-SHA (SSLv3) - SSL Weak Cipher Strength Supported
TCP:1158 - EDH-RSA-DES-CBC-SHA (TLSv1) - SSL Weak Cipher Strength Supported
TCP:1158 - EXP-DES-CBC-SHA (SSLv3) - SSL Weak Cipher Strength Supported
TCP:1158 - EXP-DES-CBC-SHA (TLSv1) - SSL Weak Cipher Strength Supported
TCP:1158 - EXP-EDH-RSA-DES-CBC-SHA (SSLv3) - SSL Weak Cipher Strength Supported
TCP:1158 - EXP-EDH-RSA-DES-CBC-SHA (TLSv1) - SSL Weak Cipher Strength Supported
TCP:1158 - EXP-RC4-MD5 (SSLv3) - SSL Weak Cipher Strength Supported
TCP:1158 - EXP-RC4-MD5 (TLSv1) - SSL Weak Cipher Strength Supported
TCP:1158 - (512) - SSL Certificate Weak Public Key Strength
How can I lock down the local OEM to only TLS high ciphers?
Thanks
MattI think that this was included as a reference in the doc that Eric had linked.
-- Restricting access to console with https only
$OMS_HOME/bin/emctl stop oms
$OMS_HOME/bin/emctl secure lock -console
$OMS_HOME/bin/emctl start oms
-- Forcing the protocol to be TLSv1 only
$OMS_HOME/bin/emctl stop oms
$OMS_HOME/bin/emctl secure oms -protocol TLSv1
cd /oracle/gc_inst/user_projects/domains/GCDomain/bin
cp startEMServer.sh startEMServer.sh_backup
vi startEMServer.sh
-- add this option to JAVA_OPTIONS line in the file
-Dweblogic.security.SSL.protocolVersion=TLS1
$OMS_HOME/bin/emctl start oms
-- Recreate the certificate with higher key strength
$OMS_HOME/bin/emctl secure createca -sysman_pwd your_sysman_password -key_strength 1024 -cert_validity 3650
I included a couple of additional steps. We are also having to implement additional security to grid control. We are still working through issues with creating a new certificate with support. After that is resolved, then we need to re-secure our agents to run on the newly created certificate & require them to use the stronger protocol. I will post the steps that we use once everything is done.
I also included a link to a couple of the docs that assisted us.
HTH,
Brian
Oracle® Enterprise Manager Administration 11g Release 1 (11.1.0.1)
2 Enterprise Manager Security
http://download.oracle.com/docs/cd/E11857_01/em.111/e16790/security3.htm#BABJGJAA
Oracle Enterprise Manager Grid Control 11gRelease 1 Security Deployment–BestPractices
http://www.oracle.com/technetwork/oem/grid-control/twp-security-best-practices-133704.pdf -
I tried to create a L7 class-map for blocking the clients with ciphes strength less than 128 in ACE20 running with Software version A2(2.3).
But there were no command inside the L7 class-map called cipher for matching the cipher strength 128. Command Tried to issue was
host1/Admin(config-cmap-http-lb)#match cipher less-than 128
So I want to know whether this is possible on ACE 20 and SW version A2(2.3). Kindly suggest a way to acheive this.
I have seen some other configuration using the parameter-match, But I dont know the Cipher Names which to allow. I want to drop all the connections with less than 128 bits cipher strength.
Can anyone help on this???
TharunBy default all available ciphers will be allowed. Those are:
–RSA_EXPORT1024_WITH_DES_CBC_SHA
–RSA_EXPORT1024_WITH_RC4_56_MD5
–RSA_EXPORT1024_WITH_RC4_56_SHA
–RSA_EXPORT_WITH_DES40_CBC_SHA
–RSA_EXPORT_WITH_RC4_40_MD5
–RSA_WITH_3DES_EDE_CBC_SHA
–RSA_WITH_AES_128_CBC_SHA
–RSA_WITH_AES_256_CBC_SHA
–RSA_WITH_DES_CBC_SHA
–RSA_WITH_RC4_128_MD5
–RSA_WITH_RC4_128_SHA
To narrow that down, create a parameter-map that specifies only the strong ones. Then apply that PMAP using the ssl advanced-options keyword in your ssl-proxy service section. Something like this:
parameter-map type ssl _SSL_PMAP
cipher RSA_WITH_RC4_128_MD5
cipher RSA_WITH_RC4_128_SHA
cipher RSA_WITH_3DES_EDE_CBC_SHA
cipher RSA_WITH_AES_128_CBC_SHA
ssl-proxy service _SSL
key
cert
chaingroup
ssl advanced-options _SSL_PMAP -
Weak cipher suites supported on WCS port 8082
Hi
Port 8082 is used for health monitoring in WCS, a web service is running on this port so we can login via web and check the status.
I would like to know, is there a way to limit the cipher suite supported on this port? For port 443, this can be done by modify the Apache configuration file, however this doesn't work for 8082. The version is 5.2.148.0.
Thanks and Regars,
LeoHi ,
"SSL RC4 Cipher Suites Supported" has been documented in bug CSCum03709.
CSCum03709 PI 2.0.0.0.294 with SSH vulnerabilities
Presently, there is no workaround for this vulnerability, however, the fix will be implemented in
Prime Infrastructure 2.2.which is planned to be released around the end of this year ( tentative)
Thanks-
Afroz
***Ratings Encourages Contributors *** -
Cisco Prime Infrastucture vulnerability SSL RC4 Cipher Suites Supported
Hi All,
I have a question on how to disable RC4 Cipher Suites Supported on Cisco Prime Infrastructure Platform.
My Client have use Nessus Software to scan on prime. and found on below vulnerability
SSL RC4 Cipher Suites Supported
Cisco prime infrastructure deploy on latest 2.1
we have gain the root access and modifier the ssl.conf and restart the service also unable to solve.
/opt/CSCOlumos/httpd/ssl/backup/ssl.conf
/opt/CSCOlumos/httpd/ssl/ssl.conf
C:\Program Files\Tenable\Nessus>nessuscmd -v -p 443 -i 21643 192.168.1.55
Starting nessuscmd 5.2.7
Scanning '192.168.1.55'...
Host 192.168.1.55 is up
Discovered open port https (443/tcp) on 192.168.1.55
[i] Plugin 21643 reported a result on port https (443/tcp) of 192.168.1.55
+ Results found on 192.168.1.55 :
- Port https (443/tcp) is open
[i] Plugin ID 21643
| Here is the list of SSL ciphers supported by the remote server :
| Each group is reported per SSL Version.
| SSL Version : TLSv1
| Medium Strength Ciphers (>= 56-bit and < 112-bit key)
| DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-C
| C(56) Mac=SHA1
| RC4-MD5 Kx=RSA Au=RSA Enc=RC4(1
| 8) Mac=MD5
| RC4-SHA Kx=RSA Au=RSA Enc=RC4(1
| 8) Mac=SHA1
|
| SSL Version : SSLv3
| Medium Strength Ciphers (>= 56-bit and < 112-bit key)
| DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-C
| C(56) Mac=SHA1
| DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-C
| C(56) Mac=SHA1
| High Strength Ciphers (>= 112-bit key)
| EDH-RSA-DES-CBC3-SHA Kx=DH Au=RSA Enc=3DES(
| 68) Mac=SHA1
| RC4-MD5 Kx=RSA Au=RSA Enc=RC4(1
| 8) Mac=MD5
| RC4-SHA Kx=RSA Au=RSA Enc=RC4(1
| 8) Mac=SHA1
| The fields above are :Hi ,
"SSL RC4 Cipher Suites Supported" has been documented in bug CSCum03709.
CSCum03709 PI 2.0.0.0.294 with SSH vulnerabilities
Presently, there is no workaround for this vulnerability, however, the fix will be implemented in
Prime Infrastructure 2.2.which is planned to be released around the end of this year ( tentative)
Thanks-
Afroz
***Ratings Encourages Contributors *** -
Good day,
Just like to find out what does the "ssl-server xxx cipher" command do? is it something to do with SSL module & web servers communication?
i have this command on my configuration but it seems that the CSS donot talk to the web servers properly.
!*********************** SSL PROXY LIST ***********************
ssl-proxy-list SSL-LIST01
ssl-server 100
ssl-server 100 vip address 10.180.6.1
ssl-server 100 rsakey RSAKEYASSOCIATION1
ssl-server 100 rsacert CERTASSOCIATIO1
ssl-server 100 cipher rsa-with-rc4-128-sha 10.180.6.1 80
active
!************************** SERVICE **************************
service DETDRSERVER01
ip address 10.180.6.35
port 80
active
service DETDRSERVER02
ip address 10.180.6.37
port 80
active
service SSL-MODULE01
type ssl-accel
keepalive type none
slot 3
add ssl-proxy-list SSL-LIST01
active
!*************************** OWNER ***************************
owner OWNER
content DRSERVERS-HTTP-RULE
vip address 10.180.6.1
balance aca
add service MYDRSERVER02
add service MYDRSERVER01
protocol tcp
port 80
active
content DRSERVERS-SSL-RULE
vip address 10.180.6.1
application ssl
protocol tcp
port 443
add service SSL-MODULE01
active
when i tried it from IE, I get the certificate but it doesn't connect to the web server homepage.
What is the command to see the traffic between CSS & web servers.
Any help appreciated.
Thanks.To assign a cipher suite to the virtual SSL server, use the ssl-server number cipher command. For each available SSL version, there is a distinct list of supported cipher suites representing a selection of cryptographic algorithms and parameters. Your choice depends on your environment, certificates and keys in use, and security requirements. By default, no supported cipher suites are enabled. Use the no form of this command to remove a cipher suite from the server.
For more information have a look at http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_command_reference_chapter09186a008011940f.html#1139899 -
PCI DSS Compliance on Cisco ACS 5.0
Dear
During our recent VA we were told that the below vulnerabilities are exist in the ACS
SSL/TLS Protocol Initialization Vector Implementation Information Disclosure
Vulnerability on port 443
SSL Weak Cipher Suites Supported on port 2030
SSL Medium Strength Cipher Suites Supported on port 2030
Can anybody kindly guide me on how to solve these issues
Best regards
MuraleeTo log in to ACS server and access the CLI, use an SSH secure shell client or the console port.
Accessing the ACS CLI
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.0/command/reference/CLIuse.html#wp1096003
Regards,
Jatin -
How to specify a cipher suit used between plugin and weblogic server?
I install Weblogic8.1 SP3 which supports for strong cipher suits, and config an apache 2.50 server as an front end.
I config appache to use 2 way SSL with browser and wls one way SSL with apache plugin. Then config apache to forward client certs to WLS. now the problem is, I can see that the SSL connection between browser and apache uses a strong cipher suit('SSL_RSA_WITH_RC4_128_MD5'), but the ssl connection bwtween apache plugin and WLS uses a weak cipher suit('SSL_RSA_EXPORT_WITH_RC4_40_MD5'), with the SnoopServlet, although I use the mod_wl128_20.so module. How can I increase the cipher strength of SSL between WLS and it's apache plugin?
Thanks in advance.
Best
Regards
JeanHello Gunaseelan,
This is not possible because WLS 6.1 needs a config.xml file, exactly this
name, to start.
What you can do is to define a recovery domain, called myrecovery_domain for
instance, and put the config_recovery.xml, renamed "config.xml".
Hope this helps,
Ludovic.
Developer Relations Engineer
BEA Support.
"Gunaseelan Venkateswaran" <[email protected]> a écrit dans le message
news: 3cd6a324$[email protected]..
>
Hi,
I have 2 weblogic startup scripts (startWebLogic.sh and
startWebLogic_recovery.sh) for the same domain.
startWebLogic.sh uses config.xml file.
I would like to use config_recovery.xml as the configuration file forstartWebLogic_recovery.sh
>
>
How would I do this ?
I am using WebLogic Server 6.1 on SunOS 5.8 / HP-UX 11.0.
Appreciate any help.
Regards
Gunaseelan Venkateswaran -
Securing DSEE - configuring CACAO SSL ciphers?
Is there -any- possible way to set the SSL cipher suites that cacao uses? I've tried nearly everything I can think of, and no matter what it does not make a difference.
I've already managed to get the actual LDAP SSL port running on high strength ciphers, the Java webconsole (port 6789) on high strength ciphers.. the only thing left is cacao on ports 11163, and 11164 (commandstream and the RMI registry)
Anyone?Just an update, opened a ticket and got this response.
<quote>
Cacao uses the default set of ciphers offered by the Java Virtual Machine for TLSv3, as per the standard, which means that it supports a list of ciphers, the weakest of which is DES which is what triggers the scanner's alert.
Whilst it therefore supports the weaker encryption for clients that specifically request it, the Java client libraries also use the same set of ciphers offered by the Java Virtual Machine, TLSv3 negotiation always choses the strongest cipher suite, and so this supported cipher is not used.
As such, there will never be any communication performed by the product using the weaker cipher suites, and this can be considered a 'false positive' in the automated detection of "supported" cipher suites - supported, yes -but used - no.
I hope that this can help explain why the automated scanner - which is deliberately trying to establish a connection with the DES cipher to see if it can - is reporting the false positive.
</quote>
Hope this helps others! -
ACE SSL terminate not working ... please help
Hello, I configured cisco ace 4710 with ssl-proxy and it is not working, but http://10.1.40.2 and http://10.1.40.3 is OK. When i put https://10.1.41.20 the output is: "There is a problem with this website's security certificate", so i click in "Continue to this website (not recommended)" and the ace dont balance the output show error "Internet Explorer cannot display the webpage".
The configuration:
ace-demo/Admin# sh run
Generating configuration....
boot system image:c4710ace-mz.A3_2_4.bin
boot system image:c4710ace-mz.A3_2_1.bin
login timeout 0
hostname ace-demo
interface gigabitEthernet 1/1
channel-group 1
no shutdown
interface gigabitEthernet 1/2
channel-group 1
no shutdown
interface gigabitEthernet 1/3
channel-group 1
no shutdown
interface gigabitEthernet 1/4
channel-group 1
no shutdown
interface port-channel 1
switchport trunk allowed vlan 400-401,450
no shutdown
crypto csr-params testparams
country PE
state Lima
locality Lima
organization-name TI
organization-unit TI
common-name www.yyy.com
serial-number 1000
access-list anyone line 8 extended permit ip any any
access-list anyone line 16 extended permit icmp any any
parameter-map type ssl sslparams
cipher RSA_WITH_RC4_128_MD5
version SSL3
rserver host rsrv1
ip address 10.1.40.2
inservice
rserver host rsrv2
ip address 10.1.40.3
inservice
serverfarm host farm-demo
rserver rsrv1
inservice
rserver rsrv2
inservice
serverfarm host site-A
rserver rsrv1
inservice
serverfarm host site-B
rserver rsrv2
inservice
ssl-proxy service testssl
key testkey.key
cert testcert.pem
ssl advanced-options sslparams
class-map type management match-any MGMT
2 match protocol icmp any
3 match protocol http any
4 match protocol https any
5 match protocol snmp any
6 match protocol telnet any
7 match protocol ssh any
class-map match-any VIP
6 match virtual-address 10.1.41.10 any
class-map type generic match-any WAN-site-A
2 match source-address 192.168.10.106 255.255.255.255
3 match source-address 192.168.10.125 255.255.255.255
class-map type generic match-any WAN-site-B
2 match source-address 192.168.10.96 255.255.255.255
3 match source-address 192.168.10.93 255.255.255.255
class-map type management match-any icmp
2 match protocol icmp any
class-map match-any vip-ssl-10.1.41.20
2 match virtual-address 10.1.41.20 tcp eq https
policy-map type management first-match ICMP
class icmp
permit
policy-map type management first-match MGMT
class MGMT
permit
policy-map type loadbalance first-match vip-ssl-10.1.41.20
class class-default
serverfarm farm-demo
policy-map type loadbalance generic first-match lb-server
class WAN-site-A
serverfarm site-A
class WAN-site-B
serverfarm site-B
class class-default
serverfarm farm-demo
policy-map multi-match client-side
class VIP
loadbalance vip inservice
loadbalance policy lb-server
policy-map multi-match lb-vip
class vip-ssl-10.1.41.20
loadbalance vip inservice
loadbalance policy vip-ssl-10.1.41.20
loadbalance vip icmp-reply
ssl-proxy server testssl
interface vlan 400
description side-server
ip address 10.1.40.1 255.255.255.0
access-group input anyone
service-policy input ICMP
no shutdown
interface vlan 401
description side-client
ip address 10.1.41.1 255.255.255.0
access-group input anyone
access-group output anyone
service-policy input ICMP
service-policy input client-side
service-policy input lb-vip
no shutdown
interface vlan 450
description mgmt
ip address 10.1.45.1 255.255.255.0
access-group input anyone
service-policy input MGMT
no shutdown
ip route 192.168.10.0 255.255.255.0 10.1.45.10
And the proof:
ace-demo/Admin# sh serverfarm farm-demo
serverfarm : farm-demo, type: HOST
total rservers : 2
----------connections-----------
real weight state current total failures
---+---------------------+------+------------+----------+----------+---------
rserver: rsrv1
10.1.40.2:0 8 OPERATIONAL 0 25 19
rserver: rsrv2
10.1.40.3:0 8 OPERATIONAL 0 23 18
ace-demo/Admin# sh crypto files
Filename File File Expor Key/
Size Type table Cert
admin 887 PEM Yes KEY
testcert.pem 709 PEM Yes CERT
testkey.key 497 PEM Yes KEY
ace-demo/Admin#
ace-demo/Admin# sh service-policy lb-vip class-map vip-ssl-10.1.41.20
Status : ACTIVE
Interface: vlan 1 401
service-policy: lb-vip
class: vip-ssl-10.1.41.20
ssl-proxy server: testssl
loadbalance:
L7 loadbalance policy: vip-ssl-10.1.41.20
VIP ICMP Reply : ENABLED
VIP State: INSERVICE
Persistence Rebalance: DISABLED
curr conns : 0 , hit count : 38
dropped conns : 18
client pkt count : 159 , client byte count: 12576
server pkt count : 16 , server byte count: 640
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
compression:
bytes_in : 0
bytes_out : 0
Compression ratio : 0.00%
in other time:
ace-demo/Admin# sh service-policy lb-vip class-map vip-ssl-10.1.41.20
Status : ACTIVE
Interface: vlan 1 401
service-policy: lb-vip
class: vip-ssl-10.1.41.20
ssl-proxy server: testssl
loadbalance:
L7 loadbalance policy: vip-ssl-10.1.41.20
VIP ICMP Reply : ENABLED
VIP State: INSERVICE
Persistence Rebalance: DISABLED
curr conns : 0 , hit count : 170
dropped conns : 89
client pkt count : 703 , client byte count: 60089
server pkt count : 85 , server byte count: 3400
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
compression:
bytes_in : 0
bytes_out : 0
Compression ratio : 0.00%
ace-demo/Admin#
ace-demo/Admin# sh stats crypto server
+----------------------------------------------+
+---- Crypto server termination statistics ----+
+----------------------------------------------+
SSLv3 negotiated protocol: 43
TLSv1 negotiated protocol: 0
SSLv3 full handshakes: 37
SSLv3 resumed handshakes: 0
SSLv3 rehandshakes: 0
TLSv1 full handshakes: 0
TLSv1 resumed handshakes: 0
TLSv1 rehandshakes: 0
SSLv3 handshake failures: 6
SSLv3 failures during data phase: 0
TLSv1 handshake failures: 0
TLSv1 failures during data phase: 0
Handshake Timeouts: 0
total transactions: 0
SSLv3 active connections: 0
SSLv3 connections in handshake phase: 0
SSLv3 conns in renegotiation phase: 0
SSLv3 connections in data phase: 0
TLSv1 active connections: 0
TLSv1 connections in handshake phase: 0
TLSv1 conns in renegotiation phase: 0
TLSv1 connections in data phase: 0
+----------------------------------------------+
+------- Crypto server alert statistics -------+
+----------------------------------------------+
SSL alert CLOSE_NOTIFY rcvd: 0
SSL alert UNEXPECTED_MSG rcvd: 0
SSL alert BAD_RECORD_MAC rcvd: 0
SSL alert DECRYPTION_FAILED rcvd: 0
SSL alert RECORD_OVERFLOW rcvd: 0
SSL alert DECOMPRESSION_FAILED rcvd: 0
SSL alert HANDSHAKE_FAILED rcvd: 0
SSL alert NO_CERTIFICATE rcvd: 0
SSL alert BAD_CERTIFICATE rcvd: 0
SSL alert UNSUPPORTED_CERTIFICATE rcvd: 0
SSL alert CERTIFICATE_REVOKED rcvd: 0
SSL alert CERTIFICATE_EXPIRED rcvd: 0
SSL alert CERTIFICATE_UNKNOWN rcvd: 6
SSL alert ILLEGAL_PARAMETER rcvd: 0
SSL alert UNKNOWN_CA rcvd: 0
SSL alert ACCESS_DENIED rcvd: 0
SSL alert DECODE_ERROR rcvd: 0
SSL alert DECRYPT_ERROR rcvd: 0
SSL alert EXPORT_RESTRICTION rcvd: 0
SSL alert PROTOCOL_VERSION rcvd: 0
SSL alert INSUFFICIENT_SECURITY rcvd: 0
SSL alert INTERNAL_ERROR rcvd: 0
SSL alert USER_CANCELED rcvd: 0
SSL alert NO_RENEGOTIATION rcvd: 0
SSL alert CLOSE_NOTIFY sent: 0
SSL alert UNEXPECTED_MSG sent: 0
SSL alert BAD_RECORD_MAC sent: 0
SSL alert DECRYPTION_FAILED sent: 0
SSL alert RECORD_OVERFLOW sent: 0
SSL alert DECOMPRESSION_FAILED sent: 0
SSL alert HANDSHAKE_FAILED sent: 0
SSL alert NO_CERTIFICATE sent: 0
SSL alert BAD_CERTIFICATE sent: 0
SSL alert UNSUPPORTED_CERTIFICATE sent: 0
SSL alert CERTIFICATE_REVOKED sent: 0
SSL alert CERTIFICATE_EXPIRED sent: 0
SSL alert CERTIFICATE_UNKNOWN sent: 0
SSL alert ILLEGAL_PARAMETER sent: 0
SSL alert UNKNOWN_CA sent: 0
SSL alert ACCESS_DENIED sent: 0
SSL alert DECODE_ERROR sent: 0
SSL alert DECRYPT_ERROR sent: 0
SSL alert EXPORT_RESTRICTION sent: 0
SSL alert PROTOCOL_VERSION sent: 47
SSL alert INSUFFICIENT_SECURITY sent: 0
SSL alert INTERNAL_ERROR sent: 0
SSL alert USER_CANCELED sent: 0
SSL alert NO_RENEGOTIATION sent: 0
+-----------------------------------------------+
+--- Crypto server authentication statistics ---+
+-----------------------------------------------+
Total SSL client authentications: 0
Failed SSL client authentications: 0
SSL client authentication cache hits: 0
SSL static CRL lookups: 0
SSL best effort CRL lookups: 0
SSL CRL lookup cache hits: 0
SSL revoked certificates: 0
Total SSL server authentications: 0
Failed SSL server authentications: 0
+-----------------------------------------------+
+------- Crypto server cipher statistics -------+
+-----------------------------------------------+
Cipher sslv3_rsa_rc4_128_md5: 43
Cipher sslv3_rsa_rc4_128_sha: 0
Cipher sslv3_rsa_des_cbc_sha: 0
Cipher sslv3_rsa_3des_ede_cbc_sha: 0
Cipher sslv3_rsa_exp_rc4_40_md5: 0
Cipher sslv3_rsa_exp_des40_cbc_sha: 0
Cipher sslv3_rsa_exp1024_rc4_56_md5: 0
Cipher sslv3_rsa_exp1024_des_cbc_sha: 0
Cipher sslv3_rsa_exp1024_rc4_56_sha: 0
Cipher sslv3_rsa_aes_128_cbc_sha: 0
Cipher sslv3_rsa_aes_256_cbc_sha: 0
Cipher tlsv1_rsa_rc4_128_md5: 0
Cipher tlsv1_rsa_rc4_128_sha: 0
Cipher tlsv1_rsa_des_cbc_sha: 0
Cipher tlsv1_rsa_3des_ede_cbc_sha: 0
Cipher tlsv1_rsa_exp_rc4_40_md5: 0
Cipher tlsv1_rsa_exp_des40_cbc_sha: 0
Cipher tlsv1_rsa_exp1024_rc4_56_md5: 0
Cipher tlsv1_rsa_exp1024_des_cbc_sha: 0
Cipher tlsv1_rsa_exp1024_rc4_56_sha: 0
Cipher tlsv1_rsa_aes_128_cbc_sha: 0
Cipher tlsv1_rsa_aes_256_cbc_sha: 0
ace-demo/Admin# crypto verify testkey.key testcert.pem
Keypair in testkey.key matches certificate in testcert.pem.
ace-demo/Admin#
ace-demo/Admin# sh conn
total current connections : 0
conn-id np dir proto vlan source destination state
----------+--+---+-----+----+---------------------+---------------------+------+Hello Alvaro,
The issue here is that your config is missing the clear text port the ACE should use to send the traffic to the backend servers; in this case port 80.
Remove the rservers from the SF "farm-demo" and then configure them back like this:
serverfarm host farm-demo
rserver rsrv1 80
inservice
rserver rsrv2 80
inservice
That should do the trick =)
HTH
Pablo -
New bug in IIS/SSL code ?
Hello Team,
Windows 2012 R2 Datacenter with all patches. IIS with SSL and SCEP (NDES) service.
Problem occurs only when client is proposing SSL RSA cipher suite. For DH cipher suite everything is working fine.
The SCEP communication from my router to IIS/SSL:
- Client Hello with RSA cipher
- Server Hello with RSA cipher + Certificate
- client sending Client Key Exchange + received ACK from server
- client sending Change Cipher spec and..
- server sends RST
Screenshot from SSL session:
http://tinypic.com/r/m93976/8
The problem is not SCEP related. It can be recreated by any web browser accessing IIS via HTTPS. That web browser should have RSA cipher suite disabled (in firefox about:config/ssl). I have tested from locally installed firefox to exclude any interference
on the network.
Is this any well known bug ? (i can not find any). Please advise.
Regards,
Michal GarcarzI agree that it is weird - but I would still be interested in using another crypto provider at the server ... not just another certificate, but one associated with a key using a different CSP.
If you say you use the 'default' one - which one is it? It depends on the certificate template or settings you made when creating the key.
I suppose it is either the Software Key Storage provider (CNG) or the classical RSA SChannel CSP (Visible e.g. in the output of
certutil -v -store run at the server). If all of your server certificates use one of these I'd try to test one more certificate that uses the other one - and if it is just to rule out an impact of the crypto provider.
Elke -
Ace ssl-proxy problem, Online store.
Hello!
I have a problem with moving our online store loadbalancing to a Cisco ACE solution from Windows NLB that it runs on now. And also relive the servers from the ssl encrypt and decrypting of sessions.
The load balancing works', as long the session is Http, but when the "customer" comes to the point that i is going to pay. Our shop is jumping over to HTTPs and this is where the problem appear.
The "customer" is getting the certificate right but the site is not displayed = the session to the shop seems to die.
If i have missed something in the config or if someone have any other idea why this dont work for me..
Appreciate any help!
My config:
(at the moment only web5 is in use)
ACE-1/CO-WEB1# show run
access-list ANY line 10 extended permit ip any any
access-list icmp line 8 extended permit icmp any any
probe http PROBE-HTTP
interval 3
passdetect interval 10
passdetect count 2
expect status 200 200
expect status 300 323
parameter-map type ssl SSLPARAMS
cipher RSA_WITH_RC4_128_MD5
rserver host vmware-server1
description testserver1
ip address 219.222.4.180
probe PROBE-HTTP
inservice
rserver host vmware-server2
description testserver 2
ip address 219.222.4.181
probe PROBE-HTTP
inservice
rserver host web5
description testserver from windows nlb
ip address 219.222.4.185
probe PROBE-HTTP
inservice
ssl-proxy service SSL-PROXY-SE
key cert-se.key
cert cert-se.pem
ssl advanced-options SSLPARAMS
serverfarm host WM-ware_servers
rserver vmware-server1
inservice
serverfarm host webtest
description testserver-farm
predictor leastconns
rserver vmware-server1 80
rserver vmware-server2 80
rserver web5
inservice
sticky ip-netmask 255.255.255.0 address source STICKY-GROUP1
timeout 60
serverfarm webtest
class-map match-all VIP-HTTP
2 match virtual-address 219.222.4.178 tcp eq www
class-map match-all VIP-HTTPS
2 match virtual-address 219.222.4.178 tcp eq https
class-map type management match-any icmp
description for icmp reply
2 match protocol icmp any
policy-map type management first-match icmp
class icmp
permit
policy-map type loadbalance first-match VIP-HTTP
class class-default
sticky-serverfarm STICKY-GROUP1
policy-map type loadbalance first-match VIP-SSL
class class-default
serverfarm webtest
policy-map multi-match SLB-VIP-HTTP
class VIP-HTTP
loadbalance vip inservice
loadbalance policy VIP-HTTP
loadbalance vip icmp-reply
class VIP-HTTPS
loadbalance vip inservice
loadbalance policy VIP-SSL
loadbalance vip icmp-reply
ssl-proxy server SSL-PROXY-SE
interface vlan 21
description ### ACE OUTSIDE mot FW ###
ip address 219.222.4.171 255.255.255.240
access-group input ANY
access-group output ANY
service-policy input icmp
service-policy input SLB-VIP-HTTP
no shutdown
interface vlan 22
description ### ACE INSIDE Gateway for Web-servers ###
ip address 219.222.4.177 255.255.255.240
access-group input ANY
access-group output ANY
service-policy input icmp
no shutdown
ip route 0.0.0.0 0.0.0.0 219.222.4.161
ACE-1/CO-WEB1#
as seen in "show conn" the sessions is established, first when i enter site, and go to payment (jumping over to SSL):
ACE-1/CO-WEB1# show conn
total current connections : 4
conn-id np dir proto vlan source destination state
----------+--+---+-----+----+---------------------+---------------------+------+
4 1 in TCP 21 219.222.0.2:49972 219.222.4.178:443 ESTAB
14 1 out TCP 22 219.222.4.185:443 219.222.0.2:49972 ESTAB
11 2 in TCP 21 219.222.0.2:49923 219.222.4.178:80 ESTAB
3 2 out TCP 22 219.222.4.185:80 219.222.0.2:49923 ESTAB
ACE-1/CO-WEB1#Hello Krille
i had the same problem.
The HTT Probe you define will do a check if
the return code is
expect status 200 200
expect status 300 323
Now if a user is accessing the hppts site, in the flow there will be an expect status like 404, the ACE now is not establish an sticky connection, cause it think that the flow is not ok.
The only output after ther Certificates is a blank site.
If you change the Probing to ICMP you will be able to access the https site and the connection is sticky. With a litte tool like IE Watch you will be able to see the wrong Status codes.
regards
eberhard -
Have done ssl init on the CSS before.
It can be easily configured to present a client cert to the remote end like a browser would.
I can't see how this is done on the ACE.
Do I just apply an authgroup referring to the client cert in the ssl proxy configuration ?Hi,
For SSL intiation ACE shall act as a client. So you will define a SSL-Proxy and just bind it with the policy map.
Below config is for end-to-end SSL but look at bold part that is for SSL initiation and here is the link for your reference.
access-list allow_all line 10 extended permit ip any any
probe http KEEPALIVE-WEBS
description Test for Webs Servers
interval 15
passdetect interval 30
request method head url /ping.jsp
expect status 200 200
parameter-map type ssl ssl_ciphers
cipher RSA_WITH_RC4_128_MD5
cipher RSA_WITH_RC4_128_SHA
cipher RSA_WITH_DES_CBC_SHA
cipher RSA_WITH_AES_128_CBC_SHA
cipher RSA_WITH_AES_256_CBC_SHA
rserver host WEB001
description Web Servers
ip address 10.0.130.253
probe KEEPALIVE-WEBS
inservice
rserver host WEB002
description Web Servers
ip address 10.0.130.252
probe KEEPALIVE-WEBS
inservice
rserver host WEB003
description Web Servers
ip address 10.0.130.254
probe KEEPALIVE-WEBS
inservice
rserver redirect OLD_SITE_REDIR
webhost-redirection
https://www.newsite.com 301
inservice
ssl-proxy service SERVER_SSL
key www-server.key
cert www-server.crt
ssl advanced-options ssl_ciphers
ssl-proxy service CLIENT_SSL
ssl advanced-options ssl_ciphers
serverfarm redirect REDIRECT
rserver OLD_SITE_REDIR
inservice
serverfarm host VIP-WWW-443
description servers-for-https
rserver WEB001 443
inservice
rserver WEB002 443
inservice
rserver WEB003 443
inservice
serverfarm host VIP-WWW-80
description servers-for-www
rserver WEB001 80
inservice
rserver WEB002 80
inservice
rserver WEB003 80
inservice
sticky http-cookie wwwservers WWW-P80
cookie insert
timeout 720
replicate sticky
serverfarm VIP-WWW-80
sticky http-cookie wwwservers WWW-P443
cookie insert
timeout 720
replicate sticky
serverfarm VIP-WWW-443
class-map type http loadbalance match-all CLA7REDIR
2 match http url http://www.oldsite.com/.*
class-map type http loadbalance match-all CLA7WWW
2 match http url http://www.newsite.com/.*
class-map match-any VIP-P443
2 match virtual-address 10.0.128.211 tcp eq https
class-map match-any VIP-P80
2 match virtual-address 10.0.128.211 tcp eq www
policy-map type loadbalance first-match VIP_SERVER_P443
class CLA7REDIR
serverfarm REDIRECT
class CLA7WWW
sticky-serverfarm WWW-P443
ssl-proxy client CLIENT_SSL
policy-map type loadbalance first-match VIP_SERVER_P80
class class-default
sticky-serverfarm WWW-P80
policy-map multi-match WWW_LB
class VIP-P80
loadbalance vip inservice
loadbalance policy VIP_SERVER_P80
loadbalance vip icmp-reply active
loadbalance vip advertise active
class VIP-P443
loadbalance vip inservice
loadbalance policy VIP_SERVER_P443
loadbalance vip icmp-reply active
loadbalance vip advertise active
ssl-proxy server SERVER_SSL
interface vlan 128
ip address 10.0.128.15 255.255.255.0
access-group input allow_all
service-policy input WWW_LB
no shutdown
interface vlan 130
ip address 10.0.130.15 255.255.255.0
access-group input allow_all
no shutdown
ip route 0.0.0.0 0.0.0.0 10.0.128.1
Regards,
Kanwal -
I'm new to the forum/discussions so forgive me if this is already posted. I read through several other posts and have followed the troubleshooting procedures in them, but I still can't access ASDM. I deleted the old ASDM versions and upgraded to ASDM 7.1(1)52 which shows compatible with ASA 8.2(1). I'm on an inside NAT address connected to Eth 0/5, 192.168.1.5/24. I can ping and SSH to the FW but no ASDM. FW is passing traffic and everything else works just fine. Please advise. Thank you.
JEREMY-ASA# show ver
Cisco Adaptive Security Appliance Software Version 8.2(1)
Device Manager Version 7.1(1)52
JEREMY-ASA# show run asdm
asdm image disk0:/asdm-711-52.bin
no asdm history enable
JEREMY-ASA# show run http
http server enable
http 192.168.1.0 255.255.255.0 inside
JEREMY-ASA# show run
: Saved
ASA Version 8.2(1)
hostname JEREMY-ASA
enable password OMIT encrypted
passwd OMIT encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 134.121.11.153 255.255.248.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
banner exec
OMIT BANNER STATEMENTS
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
same-security-traffic permit intra-interface
access-list outside_access_in extended deny ip any any
pager lines 24
logging enable
logging timestamp
logging asdm-buffer-size 250
logging trap informational
logging asdm informational
logging device-id ipaddress outside
logging host outside OMIT
mtu outside 1500
mtu inside 1500
ip verify reverse-path interface outside
ip audit attack action drop
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-711-52.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 192.168.1.0 255.255.255.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 134.121.15.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
aaa authorization exec LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 192.168.0.0 255.255.255.0 inside
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 10
ssh version 2
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server OMIT
ssl encryption des-sha1
webvpn
username OMIT password OMIT encrypted privilege 15
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
service-policy global_policy global
prompt hostname context
crashinfo console disable
Cryptochecksum:3c8669ae6960ca4cc206db58ffbf3c21
: endIt's most likely the string:
ssl encryption des-sha1
That weak cipher is not compatible with most modern browsers and current releases of Java which ASDM depend on. Try adding a strong cipher, e.g.:
ssl encryption des-sha1 aes256-sha1
Make sure you have 3DES-AES activation first ("show version" or "show activation-key" will confirm that feature license is active).
Maybe you are looking for
-
My Internet was changed to Fios and Frontier installed a new router with different Essig and wep key. How do I connect my air printer to wifi. My iPad is using same SSID AND PASSWORD AND CONNECTS TO NEW ROUTER BUT NOT MY PRINTER. EPSON ASKS FOR VA
-
Xml content in the body of the email
Hi... I am using JDev 10.1.3.4 . My requirement is to get xml content in the body of the email. please throw some light on this.
-
How do I re-set my signature password when I can't remember it. It's been so long since I used it.
-
From tiger to snow leapord?
HI, a friend found an old macbook and gave it to me to use. I've never had an apple product before, so I may not know all the terminology. It's a tiger 10.4.11 with 1.83 GHz Intel Core 2 Duo. Is there any way to upgrade it to a snow leapord, or s
-
I want my old updation how do I get it back I don't like this one
I want my old updation how do I get it back I don't like this one