Configuring SSL/TLS cipher suite strength within the API Developer Portal
search cancel

Configuring SSL/TLS cipher suite strength within the API Developer Portal

book

Article ID: 42950

calendar_today

Updated On:

Products

CA API Developer Portal CA API Gateway

Issue/Introduction

Solution

Background

The Layer 7 API Developer Portal can be configured to support certain predetermined security levels of SSL/TLS cipher suites. By default, the ADP allows all levels of cipher suite security to ensure compatibility and interoperation with legacy systems that may not support or be capable of handling more aggressive methods of encryption. The configuration of the ADP in this manner is governed by the SSL/TLS configuration of the Apache HTTP server on the ADP appliance. This file is located in the following directory of the ADP appliance: /etc/httpd/conf.d/ssl.conf

The SSL/TLS configuration file for Apache can be configured to explicitly allow or disallow certain classes of suites based on specific attributes. There are four attributes that a cipher suite can be examined against:

  1. Key exchange algorithm (such as Diffie-Hellman or RSA)
  2. Authentication algorithm (such as Elliptic Curve Diffie-Hellman or DSA)
  3. Encryption Algorithm (such as DES, 3DES, or RC4)
  4. Message authentication digests (such as MD5 or SHA1)

Environment

Release:
Component: APIPRD

Resolution

Adjusting the Allowed Cipher Suite Strength
  1. Open the SSL/TLS configuration file on the file system of the ADP appliance with a text editor.
  2. Locate the SSLCipherSuite configuration directive.
  3. Adjust the value of this configuration directive as appropriate.
  4. Save the file and exit the text editor.
  5. Restart the Apache HTTP server via service httpd restart

Configuring an Appropriate Suite Strength

The configuration directive will appear as follows by default: SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

This directive appears to be complex but can be read plainly if the sub-strings within it are known. The default value above can be interpreted as follows: Accept all cipher suites. Exclude those using Anonymous Diffie Helman key exchange. Exclude export-grade cipher suites that do not support key length greater than 40-bits. Ignore any cipher suites intended for SSLv2 connections. Subsequently, set the order of preference to prefer high-strength ciphers, then medium-strength ciphers, then low-strength ciphers.

Respectively, the "strength" of a cipher suite is specified in its key length. High strength ciphers are greater than 128-bits. Medium strength ciphers are greater than 56-bits. Low strength ciphers are less than or equal to 56-bits. To harden the system, you may want to exclude low- or even medium-strength suites in order to ensure the greatest security. This can be done by changing +MEDIUM to !MEDIUM or +LOW to !LOW, respectively. The (+) indicates that the class should be included whereas the (!) indicates that the class should be excluded.

Full documentation on how to configure this directive can be found within the Apache HTTP server manual at the following URL: https://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslciphersuite

Testing the Configured Suite Strength

The value of the cipher suite directive can be tested directly to see which specific cipher suites would be supported. The OpenSSL suite contains the ciphers command. This command can provide a list of available cipher suites based on a string specified. It will provide a tab-formatted table of cipher suites and properties that would be used to meet the requirements of a server configure with a certain cipher suite directive. The example below shows what cipher suites would be available if the OpenSSL library connected to an Apache HTTP server using the ADP appliance's default configuration. The table provides the suite name, SSL/TLS version, key exchange method, authentication method, encryption method, and message authentication method as follows:

openssl ciphers -v 'ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW'
DHE-RSA-AES256-SHA ? ? ?SSLv3 Kx=DH ? ? ? Au=RSA ?Enc=AES(256) ?Mac=SHA1
DHE-DSS-AES256-SHA ? ? ?SSLv3 Kx=DH ? ? ? Au=DSS ?Enc=AES(256) ?Mac=SHA1
AES256-SHA ? ? ? ? ? ? ?SSLv3 Kx=RSA ? ? ?Au=RSA ?Enc=AES(256) ?Mac=SHA1
DHE-RSA-AES128-SHA ? ? ?SSLv3 Kx=DH ? ? ? Au=RSA ?Enc=AES(128) ?Mac=SHA1
DHE-DSS-AES128-SHA ? ? ?SSLv3 Kx=DH ? ? ? Au=DSS ?Enc=AES(128) ?Mac=SHA1
AES128-SHA ? ? ? ? ? ? ?SSLv3 Kx=RSA ? ? ?Au=RSA ?Enc=AES(128) ?Mac=SHA1
KRB5-DES-CBC3-MD5 ? ? ? SSLv3 Kx=KRB5 ? ? Au=KRB5 Enc=3DES(168) Mac=MD5?
KRB5-DES-CBC3-SHA ? ? ? SSLv3 Kx=KRB5 ? ? Au=KRB5 Enc=3DES(168) Mac=SHA1
EDH-RSA-DES-CBC3-SHA ? ?SSLv3 Kx=DH ? ? ? Au=RSA ?Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA ? ?SSLv3 Kx=DH ? ? ? Au=DSS ?Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA ? ? ? ? ? ?SSLv3 Kx=RSA ? ? ?Au=RSA ?Enc=3DES(168) Mac=SHA1
KRB5-RC4-MD5 ? ? ? ? ? ?SSLv3 Kx=KRB5 ? ? Au=KRB5 Enc=RC4(128) ?Mac=MD5?
KRB5-RC4-SHA ? ? ? ? ? ?SSLv3 Kx=KRB5 ? ? Au=KRB5 Enc=RC4(128) ?Mac=SHA1
RC4-SHA ? ? ? ? ? ? ? ? SSLv3 Kx=RSA ? ? ?Au=RSA ?Enc=RC4(128) ?Mac=SHA1
RC4-MD5 ? ? ? ? ? ? ? ? SSLv3 Kx=RSA ? ? ?Au=RSA ?Enc=RC4(128) ?Mac=MD5?
KRB5-DES-CBC-MD5 ? ? ? ?SSLv3 Kx=KRB5 ? ? Au=KRB5 Enc=DES(56) ? Mac=MD5?
KRB5-DES-CBC-SHA ? ? ? ?SSLv3 Kx=KRB5 ? ? Au=KRB5 Enc=DES(56) ? Mac=SHA1
EDH-RSA-DES-CBC-SHA ? ? SSLv3 Kx=DH ? ? ? Au=RSA ?Enc=DES(56) ? Mac=SHA1
EDH-DSS-DES-CBC-SHA ? ? SSLv3 Kx=DH ? ? ? Au=DSS ?Enc=DES(56) ? Mac=SHA1
DES-CBC-SHA ? ? ? ? ? ? SSLv3 Kx=RSA ? ? ?Au=RSA ?Enc=DES(56) ? Mac=SHA1

The output of this command provides the specific cipher suites that the OpenSSL suite would use to meet this requirement when connecting to an Apache HTTP server using the default cipher suite directive. If medium- and low-strength cipher suites are excluded then the following list would be available. The list is significantly shorter and contains no cipher suites that have key lengths less than 128-bits.

openssl ciphers -v 'ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:!MEDIUM:!LOW'
DHE-RSA-AES256-SHA ? ? ?SSLv3 Kx=DH ? ? ? Au=RSA ?Enc=AES(256) ?Mac=SHA1
DHE-DSS-AES256-SHA ? ? ?SSLv3 Kx=DH ? ? ? Au=DSS ?Enc=AES(256) ?Mac=SHA1
AES256-SHA ? ? ? ? ? ? ?SSLv3 Kx=RSA ? ? ?Au=RSA ?Enc=AES(256) ?Mac=SHA1
DHE-RSA-AES128-SHA ? ? ?SSLv3 Kx=DH ? ? ? Au=RSA ?Enc=AES(128) ?Mac=SHA1
DHE-DSS-AES128-SHA ? ? ?SSLv3 Kx=DH ? ? ? Au=DSS ?Enc=AES(128) ?Mac=SHA1
AES128-SHA ? ? ? ? ? ? ?SSLv3 Kx=RSA ? ? ?Au=RSA ?Enc=AES(128) ?Mac=SHA1
KRB5-DES-CBC3-MD5 ? ? ? SSLv3 Kx=KRB5 ? ? Au=KRB5 Enc=3DES(168) Mac=MD5?
KRB5-DES-CBC3-SHA ? ? ? SSLv3 Kx=KRB5 ? ? Au=KRB5 Enc=3DES(168) Mac=SHA1
EDH-RSA-DES-CBC3-SHA ? ?SSLv3 Kx=DH ? ? ? Au=RSA ?Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA ? ?SSLv3 Kx=DH ? ? ? Au=DSS ?Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA ? ? ? ? ? ?SSLv3 Kx=RSA ? ? ?Au=RSA ?Enc=3DES(168) Mac=SHA1

The openssl ciphers -v command can be used to test the expected outcome of a particular cipher suite configuration directive without deploying it live

Powered by Wolken Software