Configuring High Strength Ciphers in Symantec Directory
search cancel

Configuring High Strength Ciphers in Symantec Directory

book

Article ID: 278382

calendar_today

Updated On: 03-21-2025

Products

CA Directory

Issue/Introduction

Running a vulnerability scan on Ciphers, it is reported that ciphers enabled for a DSA are Medium Strength. (i.e. > 64-bit and < 112-bit OR 3DES)

e.g. the scan reports: 

Medium Strength Ciphers (> 64-bit and < 112-bit key, or 3DES)

Name                                           Code                KEX       Auth      Encryption              MAC
----------------------                          ----------             ---           ----        ---------------------      ---
EDH-RSA-DES-CBC3-SHA        0x00, 0x16        DH         RSA      3DES-CBC(168)    SHA1
ECDHE-RSA-DES-CBC3-SHA   0xC0, 0x12       ECDH    RSA      3DES-CBC(168)    SHA1
AECDH-DES-CBC3-SHA            0xC0, 0x17       ECDH    None     3DES-CBC(168)    SHA1
DES-CBC3-SHA                          0x00, 0x0A       RSA       RSA      3DES-CBC(168)    SHA1

 
The business requirement is to only have High Strength Ciphers enabled.

e.g. the scan should report:

High Strength Ciphers (>= 112-bit key)

Name                              Code                KEX             Auth       Encryption             MAC
----------------------             ----------             ---                 ----         ---------------------    ---
AECDH-AES128-SHA    0xC0, 0x18       ECDH          None     AES-CBC(128)     SHA1
AECDH-AES256-SHA    0xC0, 0x19       ECDH          None     AES-CBC(256)     SHA1
AECDH-RC4-SHA          0xC0, 0x16       ECDH          None     RC4(128)              SHA1

Resolution

As for the cipher suite, this is controlled by whatever the <name>.dxc configuration file under SSLD folder that is being used by an individual DSA. In this SSLD <name>.dxc file, there is a 'ciphers' parameter that specifies the list and this can be modified according to business requirement.

e.g. 
#  cipher = "ALL:!EXPORT40:!ADH:!SSLv2:!EXP:!LOW" # default ciphers - syntax on OpenSSL website

The key here is what it says at the end.
i.e. # default ciphers - syntax on OpenSSL website

One can visit the OpenSSL website and prepare a list of ciphers that needs to be included or omitted. Once the list is defined (making sure the ling is not commented or create a new line), restart the DSA and re-run the vulnerability scan.

Specific to this KB article (what is mentioned in the description), the following works to only have High Strength Ciphers.

# SSL options 
#  cipher = "ALL:!EXPORT40:!ADH:!SSLv2:!EXP:!LOW" # default ciphers - syntax on OpenSSL website 
cipher = "kEDH:ALL:!aNULL:!eNULL:!ADH:!DES:!3DES:!LOW:!MEDIUM:!EXP:!EXPORT40:!RC4:!SSLv2:+HIGH:@STRENGTH" 
#  protocol = tls                # enable TLS only (default of fips set) 
protocol = TLSv12

Additional Information

Here are some examples that can help to prepare the list of ciphers to avoid or to include from our product doc and from published KB articles as well as from our Directory Product Documentation.

Disabling active ciphers on DSAs that may allow anonymous SSL connections

Symantec Directory : Qualys scan ID 38142 - SSL Server Allows Anonymous Authentication Vulnerability

CA Directory - "SSL Medium Strength Cipher Suites Supported (SWEET32)" & SSL Anonymous Cipher Suites Supported

Powered by Wolken Software