After removing CBC ciphers in the httpd-ssl.conf on the Access Gateway, some are still present
search cancel

After removing CBC ciphers in the httpd-ssl.conf on the Access Gateway, some are still present

book

Article ID: 381051

calendar_today

Updated On:

Products

SITEMINDER

Issue/Introduction

After removing CBC ciphers in the httpd-ssl.conf on the Access Gateway, some are still present.

The default SSLCipherSuite

SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS:!3DES

After removing the CBC ciphers it looks like this:

SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:!DSS:!3DES

 

Environment

Applies to Access Gateway R12.8 Any

Any OS

Cause

Nmap is using standard cipher names in its return data.

The Access Gateway uses OpenSSL to apply its Cipher Suite. OpenSSL has its own cipher references that can differ from the standard cipher references.

For example:

nmap returns this name below, with CBC in it.

 TLS_DHE_RSA_WITH_AES_128_CBC_SHA

But you don't see this name as part of the SSLCipherSuite. 

Since OpenSSL actually refers to it as

 DHE-RSA-AES128-SHA

 

As it has no "CBC" in the SSLCipherSuite list, it was not removed and nmap will still list out CBC ciphers.


Starting Nmap 6.40 ( http://nmap.org ) at 2024-10-31 20:15 UTC
Nmap scan report for server.domain.com (###.###.###.###)
Host is up (0.0010s latency).
rDNS record for ###.###.###.###: server.domain.com
PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers:
|   TLSv1.1:
|     ciphers:
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|     compressors:
|       NULL
|   TLSv1.2:
|     ciphers:
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - strong
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
|     compressors:
|       NULL
|_  least strength: strong

Nmap done: 1 IP address (1 host up) scanned in 0.43 seconds

Resolution

In order to remove all the CBC references from the nmap results, please refer to the OpenSSL reference linked below to map the nmap name to the name used in the SSLCipherSuite so it can be removed.

https://docs.openssl.org/master/man1/openssl-ciphers/#cipher-suite-names

Using the previous example

nmap returns this name below, with CBC in it.

 TLS_DHE_RSA_WITH_AES_128_CBC_SHA

But you don't see this name as part of the SSLCipherSuite since OpenSSL actually refers to it as

 DHE-RSA-AES128-SHA

Removing DHE-RSA-AES128-SHA from the SSLCipherSuite will remove the  TLS_DHE_RSA_WITH_AES_128_CBC_SHA from the nmap results.