Brocade Fibre Channel Networking Community

Expand all | Collapse all

Is it possible to disable TLS1.0 in FABOS 8.1.0b?

  • 1.  Is it possible to disable TLS1.0 in FABOS 8.1.0b?

    Posted 08-03-2017 04:46 PM

    I'd like to only have TLS 1.2 enabled for SSL.  Is it possible to edit apache.conf or issue a "sec" command to only allow TLS v1.2? 

     

    This is on our 16 port FC switches.

     

    Thanks!


    #BrocadeFibreChannelNetworkingCommunity


  • 2.  Re: Is it possible to disable TLS1.0 in FABOS 8.1.0b?

    Posted 08-10-2017 05:21 AM

    Hi,

     

    use secCryptoCfg CLI to disable TLS - example below is from FOS 7.4 but you should be able to work it out for 8.0 or 8.1, too (this is adapted from a KB article)

     

    FOS 7.4 (admin) supports display and modification of the default //selected// cipher suite (a subset of the above //supported// list) as follows:

    admin> seccryptocfg --show
    HTTPS Cipher List        : !ECDH:!DH:HIGH:-MD5:!CAMELLIA:!SRP:!PSK:!AESGCM
    SSH Cipher List          : aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
    SSH Kex Algorithms List  : ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
    SSH MACs List            : hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha2-512


    If you were interested only in SSL (especially with respect to TLSv1.2) as part of the HTTPS cipher list, you would be concerned with the top line, as follows, as the other ciphers are SSH related (which do not use SSL/TLS):

    HTTPS Cipher List        : !ECDH:!DH:HIGH:-MD5:!CAMELLIA:!SRP:!PSK:!AESGCM

     

    We can query for more details about //selected// ciphers using the openssl command, but with the FOS selection string:

    root> openssl ciphers -v '!ECDH:!DH:HIGH:-MD5:!CAMELLIA:!SRP:!PSK:!AESGCM'
    AES256-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA256
    AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
    DES-CBC3-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=SHA1
    AES128-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA256
    AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1

     

    We can see that FOS limits its selection of the support ciphers to these five above, which include TLSv1.2, so a client that might support many cipher suites would only successfully negotiate one of these five with the switch.

     

    If you wish to reduce the FOS cipher selection even further you could, for example, remove the SSLv3 suites, by using the '!SSLv3' added at the end of this selection string, which we are using to display a further subset of ciphers:

    root> openssl ciphers -v '!ECDH:!DH:HIGH:-MD5:!CAMELLIA:!SRP:!PSK:!AESGCM:!SSLv3'
    AES256-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA256
    AES128-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA256

    This gives you the selection string that you would need to supply to the folowing FOS (admin) command "seccryptocfg", to reduce the selection to the TLSv1.2 suites from the selection already done in FOS (note that http is restarted to adapt to the change):

    admin> seccryptocfg --replace -type https -cipher '!ECDH:!DH:HIGH:-MD5:!CAMELLIA:!SRP:!PSK:!AESGCM:!SSLv3'
    This command requires the daemon(s) HTTP to be restarted.
    Existing sessions will be terminated.
    Please confirm and provide the preferred option
    Press Yes(Y,y), No(N,n) [N]:y
    HTTP cipher list configured successfully.

    Finally, we check the new list of FOS selected ciphers as follows:

    admin> seccryptocfg --show
    HTTPS Cipher List        : !ECDH:!DH:HIGH:-MD5:!CAMELLIA:!SRP:!PSK:!AESGCM:!SSLv3
    SSH Cipher List          : aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
    SSH Kex Algorithms List  : ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
    SSH MACs List            : hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha2-512

     

     


    #BrocadeFibreChannelNetworkingCommunity


  • 3.  Re: Is it possible to disable TLS1.0 in FABOS 8.1.0b?

    Posted 08-14-2017 09:05 AM
    Works like a champ! Thanks!
    #BrocadeFibreChannelNetworkingCommunity


  • 4.  Re: Is it possible to disable TLS1.0 in FABOS 8.1.0b?

    Posted 04-23-2018 08:46 AM

    It works Awesome !!!!!!!!!!!!!!


    #BrocadeFibreChannelNetworkingCommunity


  • 5.  Re: Is it possible to disable TLS1.0 in FABOS 8.1.0b?

    Posted 04-23-2018 02:23 PM

    One of the best write-up's I've seen.  Excellent work!


    #BrocadeFibreChannelNetworkingCommunity


  • 6.  RE: Re: Is it possible to disable TLS1.0 in FABOS 8.1.0b?

    Posted 12 days ago
    Edited by Steven McNeill 12 days ago
    ​It seems that after I implement this change, security says I still have port 443 vulnerable for TLS 1.0 & 1.1, 3DES, Weak 64-bit ciphers (Sweet32).
    FOS 7.4.1f.
    Any help would be appreciated.