Symantec Directory : Disable SSL RC4 Cipher Suites for DXagent process running on port 9443 (Linux)
Article ID: 237520
Updated On:
Products
Issue/Introduction
You may find vulnerability scan report pointing to the fact that Symantec Directory component running on (or utilizing) port 9443 (which is dedicated to DXagent process) is using RC4 Cipher Suites and looking for a way to disable this Cipher Suites.
Environment
Release : 14.1
Component : CA Directory
Resolution
Fact is, it is not Symantec Directory but Python version that has this RC4 vulnerability that Directory uses. So regardless of Directory version (14.1.00 or 14.1.03), so the solution is to upgrade your Linux node(s) with latest version of Python.
In Linux, DXagent uses python installed in the machine. And the ciphers are set based on the Python. DXagent uses the default Ciphers set by Python.
For example, run the following command:
-bash-4.2$ python -c 'import ssl; print ssl._DEFAULT_CIPHERS'
With Python 2.7.5, you will see:
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+HIGH:DH+HIGH:RSA+AESGCM:RSA+AES:RSA+HIGH:ECDH+RC4:DH+RC4:RSA+RC4:!aNULL:!eNULL:!MD5:!3DES
With Python 3.7.3, you will see:
DEFAULT:!aNULL:!eNULL:!MD5:!3DES:!DES:!RC4:!IDEA:!SEED:!aDSS:!SRP:!PSK
From the ciphers list you will notice RC4, in 2.7.5 version but not in 3.7.3 version.
Further...
From the Python docops page https://docs.python.org/3/library/ssl.html
Here you will find the information such as : Changed in version 3.4.4: RC4 was dropped from the default cipher string.
Feedback
