search cancel

Symantec Directory - Disable SSL RC4 Cipher Suites for DXagent process running on port 9443 (Linux)

book

Article ID: 237520

calendar_today

Updated On:

Products

CA Directory

Issue/Introduction

You may find vulnerability scan report pointing to the fact that Symantec Directory component running on (or utilizing) port 9443 (which is dedicated to DXagent process) is using RC4 Cipher Suites and looking for a way to disable this Cipher Suites.

Environment

Release : 14.1

Component : CA Directory

Resolution

Fact is, it is not Symantec Directory but Python version that has this RC4 vulnerability that Directory uses. So regardless of Directory version (14.1.00 or 14.1.03), so the solution is to upgrade your Linux node(s) with latest version of Python.

In Linux, DXagent uses python installed in the machine. And the ciphers are set based on the Python. DXagent uses the default Ciphers set by Python.

For example, run the following command:
-bash-4.2$ python -c 'import ssl; print ssl._DEFAULT_CIPHERS'

With Python 2.7.5, you will see:
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+HIGH:DH+HIGH:RSA+AESGCM:RSA+AES:RSA+HIGH:ECDH+RC4:DH+RC4:RSA+RC4:!aNULL:!eNULL:!MD5:!3DES

With Python 3.7.3, you will see:
DEFAULT:!aNULL:!eNULL:!MD5:!3DES:!DES:!RC4:!IDEA:!SEED:!aDSS:!SRP:!PSK

From the ciphers list you will notice RC4, in 2.7.5 version but not in 3.7.3 version.

Further...
From the Python docops page https://docs.python.org/3/library/ssl.html

Here you will find the information such as : Changed in version 3.4.4: RC4 was dropped from the default cipher string.