Errors when configuring ProxySG management console SSL cipher strength with a CLI overlay in Director

Products

Director

Issue/Introduction

Using Director, you receive errors when attempting to apply an overlay to disable SSL encryption cyphers, but the same set of commands work when directly attached to the SG in the command line interface.

Resolution

A: To duplicate both these symptoms, follow these two steps:

1: Use SSH to log into the SG, and, follow these steps:

ssh admin@<ipaddress of SG>
<prompt of SG >en
<enter password>
<prompt of SG >config t

2: execute these configuration cipher commands.

<prompt of SG> <config> management-services

<prompt of SG> <config> edit HTTPS-Console
3,13
<prompt of SG> <config> attribute cipher-suite

2: While in the Director Management console, attempt to execute the above commands in a CLI-based overlay, Here are the results and their coresponding errors:

Error: +------------------------------------------- | Output for device "ProxySG" +------------------------------------------- ;;BEGIN MANUAL SETTINGS Error: Internal Error - device communication interrupted management-services Error: Internal Error - device communication interrupted edit HTTPS-Console Error: Internal Error - device communication interrupted attribute cipher-suite Error: Internal Error - device communication interrupted 3,13 Error: Internal Error - device communication interrupted ;;END MANUAL SETTINGS Error: Internal Error - device communication interrupted Overlay execution complete for device "ProxySG"

Analysis: The above errors are a side effect of how Director sends and processes CLI commands to the proxies. When you enter the command “attribute cipher-suite” the proxy then gives a long list of ciphers, and a prompts you for user input to tell it what ciphers to enable. Director doesn’t know how to handle this prompt so it errors out, as per the above example. Director expects to blindly run commands that are either accepted, or errored out by the proxy without the need for additional user input. Using Cipher Names in your command will solve this, because the SG will no longer prompt you. This is why you have to use the names on the same line as the “attribute cipher-suite” command – this tells the proxy directly to enable the ciphers you tell it to, without expecting additional user input.

B:To successfully process these commands through Director:

You will need to edit them into the overlay using their coresponding cipher names. Here are the altered commands to use in the overlay:

management-servicese
edit HTTPS-Console
attribute cipher-suite DES-CBC3-SHA EXP-RC4-MD5

NOTE: The above command syntax now has the intended effect of disabling all cipher suites except 3 and 13 and allows the overlay to execute without issue.

C: How to process other cipher commands:

To procure other names of the cipher suites for use in your own customized overlay, log into a ProxySG and run the commands given below. This will give you a table with cipher numbers and names. Here you chose the actual names of the ciphers as given in the "Description" field below.

Connect to your SG, via SSH, and follow these commands.

Blue Coat SG210 Series>en
Enable Password:
Blue Coat SG210 Series#conf t
Enter configuration commands, one per line. End with CTRL-Z.
Blue Coat SG210 Series#(config)management-services
Blue Coat SG210 Series#(config management-services)edit HTTPS-Console
Blue Coat SG210 Series#(config HTTPS-Console)attribute cipher-suite
Cipher# Use Description Strength
------- --- ----------------------- --------
1 no RC4-MD5 Medium
2 no RC4-SHA Medium
3 yes DES-CBC3-SHA High
4 no DES-CBC3-MD5 High
5 no RC2-CBC-MD5 Medium
6 no RC4-64-MD5 Low
7 no DES-CBC-SHA Low
8 no DES-CBC-MD5 Low
9 no EXP1024-RC4-MD5 Export
10 no EXP1024-RC4-SHA Export
11 no EXP1024-RC2-CBC-MD5 Export
12 no EXP1024-DES-CBC-SHA Export
13 yes EXP-RC4-MD5 Export
14 no EXP-RC2-CBC-MD5 Export
15 no EXP-DES-CBC-SHA Export
16 no AES128-SHA Medium
17 no AES256-SHA High