ProxySG - How to disable export grade ciphers to prevent FREAK attack.

book

Article ID: 168481

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

SGOS 6.5, 6.2, and 5.5 are vulnerable in all SSL/TLS interfaces.  Export grade ciphers are enabled by default, but can be disabled.

The possible reference to Disable to Disallow other ciphers are well

Resolution

Configuration settings should be changed to disallow export grade ciphers for HTTPS Console ( and/or HTTPS Reverse Proxies), SSL Device Profiles, and SSL Client Configuration by CLI.  For SSL Forward Proxy, export ciphers should be disallowed through policy.


 


Sample CLI commands and policy

For HTTPS Console ( and/or HTTPS Reverse Proxies )

If using HTTPS Reverse Proxies, do same operation to HTTPS Reverse Proxies service as well.
.....
10.106.17.217 - Blue Coat SG300 Series#(config)management-services
10.106.17.217 - Blue Coat SG300 Series#(config management-services)edit HTTPS-Console
10.106.17.217 - Blue Coat SG300 Series#(config HTTPS-Console)view
Service Name:   HTTPS-Console
Service:        HTTPS-Console
Attributes:     <None>
Keyring: default
SSL Protocol version: tlsv1 tlsv1.1 tlsv1.2
CA Certificate List: <All CA Certificates>
Cipher Suite: aes128-sha256 aes256-sha256 aes128-sha aes256-sha dhe-rsa-aes128-sha dhe-rsa-aes256-sha des-cbc3-sha rc4-sha rc4-md5 des-cbc-sha exp-des-cbc-sha exp-rc4-md5 exp-rc2-cbc-md5
Destination IP    Port Range
<All>             8082              Enabled
10.106.17.217 - Blue Coat SG300 Series#(config HTTPS-Console)attribute cipher-suite aes128-sha256 aes256-sha256 aes128-sha aes256-sha dhe-rsa-aes128-sha dhe-rsa-aes256-sha des-cbc3-sha rc4-sha rc4-md5 des-cbc-sha
  ok
10.106.17.217 - Blue Coat SG300 Series#(config HTTPS-Console)view
Service Name:   HTTPS-Console
Service:        HTTPS-Console
Attributes:     <None>
Keyring: default
SSL Protocol version: tlsv1 tlsv1.1 tlsv1.2
CA Certificate List: <All CA Certificates>
Cipher Suite: aes128-sha256 aes256-sha256 aes128-sha aes256-sha dhe-rsa-aes128-sha dhe-rsa-aes256-sha des-cbc3-sha rc4-sha rc4-md5 des-cbc-sha
Destination IP    Port Range
<All>             8082              Enabled
10.106.17.217 - Blue Coat SG300 Series#(config HTTPS-Console)
.....

(For HTTPS Reverse Proxy)

.....
Blue Coat SG300 Series#(config)proxy-services
Blue Coat SG300 Series#(config proxy-services)edit "reverse-proxy-service-name"
Blue Coat SG300 Series#(config "reverse-proxy-service-name")view
Service Name:   "reverse-proxy-service-name"
Service Group:  Reverse Proxy
Proxy:          HTTPS Reverse Proxy
Attributes:     use-adn, adn-byte-cache, adn-compress, byte-cache-priority normal, early-intercept
Keyring: default
SSL Protocol version: tlsv1 tlsv1.1 tlsv1.2
CA Certificate List: <All CA Certificates>
Cipher Suite: ecdhe-rsa-aes128-sha256 ecdhe-rsa-aes128-gcm-sha256 ecdhe-rsa-aes128-sha ecdhe-rsa-aes256-sha ecdhe-rsa-rc4-sha aes128-sha256 aes256-sha256 aes128-sha aes256-sha dhe-rsa-aes128-sha dhe-rsa-aes256-sha des-cbc3-sha rc4-sha rc4-md5 des-cbc-sha exp-des-cbc-sha exp-rc4-md5 exp-rc2-cbc-md5
Source IP         Destination IP    Port Range        Action
<All>             10.107.17.220     443               Intercept

.....
Below is the steps to remove low, middle and export strength cipher suite for your reference
.....

Blue Coat SG300 Series#(config "reverse-proxy-service-name")attribute cipher-suite 
<< press enter to view all available cipher strength as per below >>

Cipher#  Use        Description            Strength
-------  ---  ---------------------------  --------
      1  yes      ECDHE-RSA-AES128-SHA256      High
      2  yes  ECDHE-RSA-AES128-GCM-SHA256      High
      3  yes         ECDHE-RSA-AES128-SHA      High
      4  yes         ECDHE-RSA-AES256-SHA      High
      5  yes            ECDHE-RSA-RC4-SHA    Medium
      6  yes                AES128-SHA256      High
      7  yes                AES256-SHA256      High
      8  yes                   AES128-SHA    Medium
      9  yes                   AES256-SHA      High
     10  yes           DHE-RSA-AES128-SHA      High
     11  yes           DHE-RSA-AES256-SHA      High
     12  yes                 DES-CBC3-SHA      High
     13  yes                      RC4-SHA    Medium
     14  yes                      RC4-MD5    Medium
     15  yes                  DES-CBC-SHA       Low
     16  yes              EXP-DES-CBC-SHA    Export
     17  yes                  EXP-RC4-MD5    Export
     18  yes              EXP-RC2-CBC-MD5    Export

Select cipher numbers to use, separated by commas: 1, 2, 3, 4, 6, 7, 9, 10, 11, 12, 13
  ok
.....
View and you will see only the high
strengh cipher suite.
.....
Blue Coat SG300 Series#(config "reverse-proxy-service-name")view
Service Name:   "reverse-proxy-service-n
Service Group:  Reverse Proxy
Proxy:          HTTPS Reverse Proxy
Attributes:     use-adn, adn-byte-cache, adn-compress, byte-cache-priority normal, early-intercept
Keyring: default
SSL Protocol version: tlsv1 tlsv1.1 tlsv1.2
CA Certificate List: <All CA Certificates>
Cipher Suite: ecdhe-rsa-aes128-sha256 ecdhe-rsa-aes128-gcm-sha256 ecdhe-rsa-aes128-sha ecdhe-rsa-aes256-sha aes128-sha256 aes256-sha256 aes256-sha dhe-rsa-aes128-sha dhe-rsa-aes256-sha des-cbc3-sha rc4-sha
Source IP         Destination IP    Port Range        Action
<All>             10.107.17.220     443               Intercept
.....

For SSL Client Configuration

.....
10.106.17.217 - Blue Coat SG300 Series#(config)ssl
10.106.17.217 - Blue Coat SG300 Series#(config ssl)edit ssl-client default
10.106.17.217 - Blue Coat SG300 Series#(config ssl ssl-client default)view
SSL-Client: default
Keyring: <None>
CCL: browser-trusted
Protocol: tlsv1 tlsv1.1 tlsv1.2
Cipher suite: aes128-sha256 aes256-sha256 aes128-sha aes256-sha dhe-rsa-aes128-sha dhe-rsa-aes256-sha des-cbc3-sha rc4-sha rc4-md5 des-cbc-sha exp-des-cbc-sha exp-rc4-md5 exp-rc2-cbc-md5
10.106.17.217 - Blue Coat SG300 Series#(config ssl ssl-client default)cipher-suite aes128-sha256 aes256-sha256 aes128-sha aes256-sha dhe-rsa-aes128-sha dhe-rsa-aes256-sha des-cbc3-sha rc4-sha rc4-md5 des-cbc-sha
  ok
10.106.17.217 - Blue Coat SG300 Series#(config ssl ssl-client default)view
SSL-Client: default
Keyring: <None>
CCL: browser-trusted
Protocol: tlsv1 tlsv1.1 tlsv1.2
Cipher suite: aes128-sha256 aes256-sha256 aes128-sha aes256-sha dhe-rsa-aes128-sha dhe-rsa-aes256-sha des-cbc3-sha rc4-sha rc4-md5 des-cbc-sha
10.106.17.217 - Blue Coat SG300 Series#(config ssl ssl-client default)
.....

For SSL Device Profiles

.....
10.106.17.217 - Blue Coat SG300 Series#(config)ssl
10.106.17.217 - Blue Coat SG300 Series#(config ssl)edit ssl-device-profile default
10.106.17.217 - Blue Coat SG300 Series#(config device-profile default)view
Name: default
Usable for: client
Keyring:
CCL: browser-trusted
Device-id: $(subject.CN)
Cipher suite: aes128-sha256 aes256-sha256 aes128-sha aes256-sha dhe-rsa-aes128-sha dhe-rsa-aes256-sha des-cbc3-sha rc4-sha rc4-md5 des-cbc-sha exp-des-cbc-sha exp-rc4-md5 exp-rc2-cbc-md5
Protocol: tlsv1 tlsv1.1 tlsv1.2
Verify-peer: enabled
10.106.17.217 - Blue Coat SG300 Series#(config device-profile default)cipher-suite aes128-sha256 aes256-sha256 aes128-sha aes256-sha dhe-rsa-aes128-sha dhe-rsa-aes256-sha des-cbc3-sha rc4-sha rc4-md5 des-cbc-sha
  ok
10.106.17.217 - Blue Coat SG300 Series#(config device-profile default)view
Name: default
Usable for: client
Keyring:
CCL: browser-trusted
Device-id: $(subject.CN)
Cipher suite: aes128-sha256 aes256-sha256 aes128-sha aes256-sha dhe-rsa-aes128-sha dhe-rsa-aes256-sha des-cbc3-sha rc4-sha rc4-md5 des-cbc-sha
Protocol: tlsv1 tlsv1.1 tlsv1.2
Verify-peer: enabled
10.106.17.217 - Blue Coat SG300 Series#(config device-profile default)
.....

 

For SSL Forward Proxy

add policy to disallow export level cipher through CPL or VPM

CPL

....
<SSL>
client.connection.negotiated_cipher.strength=(Export) force_deny
client.connection.negotiated_cipher=(exp-des-cbc-sha,exp-rc4-md5,exp-rc2-cbc-md5)
 force_deny
server.connection.negotiated_cipher.strength=(Export) force_deny
server.connection.negotiated_cipher=(exp-des-cbc-sha,exp-rc4-md5,exp-rc2-cbc-md5) force_deny
.....
 

VPM (add 4 deny rules in SSL Access Layer)


vpm

Rule 1
Source: Client Negotiated Cipher -> Check 
EXP-DEC-CBC-SHA, EXP-RC2-CBC-MD5 and EXP-RC4-MD5
Action: Force Deny
client_negotiated_cipher

Rule 2
Source: Client Negotiated Cipher Strength -> Check Export
Action: Force Deny
client_negotiated_cipher_strength

Rule 3

Destination: Server Negotiated Cipher -> Check EXP-DEC-CBC-SHA, EXP-RC2-CBC-MD5 and EXP-RC4-MD5
Action: Deny

server_negotiated_cipher

Rule 4

Source: Server Negotiated Cipher Strength -> Check Export
Action: Force Deny
server_negotiated_cipher_strength


 

Attachments