Layer7 Access Management

Which TLS Ciphers are used by CA Directory DSAs?

  • 1.  Which TLS Ciphers are used by CA Directory DSAs?

    Posted 07-18-2018 03:52 PM

    Team,

     

    Using the openssl binary, we can view all ciphers provided by this command line tool.

     

    Using this list, we can test each possible cipher category to a service that has TLS enabled, e.g. an LDAP server or Web Server 

     

    To list all cipher possible with openssl.

    Ref:  /docs/man1.1.0/apps/ciphers.html 

     

     

     

    openssl ciphers

     

     

    To test the ciphers, you can execute openssl with the s_client switch.

     

    openssl s_client -cipher RSA -connect vapp0001:20394                  [SUCCESSFUL TEST]

     

     

    Test with category:  HIGH    ""high" encryption cipher suites. This currently means those with key lengths larger than 128 bits, and some cipher suites with 128-bit keys."

     

    openssl s_client -cipher HIGH  -connect vapp0001:20394    [TEST SUCCESS]

     

     

    openssl s_client -cipher ECDHE-RSA-AES256-GCM-SHA384 -connect vapp0001:20394     [TEST FAILURE]

     

     

     

     

    You may wish to skip these tests.

     

    openssl s_client -cipher DEFAULT -connect vapp0001:20394

    openssl s_client -cipher ALL -connect vapp0001:2039

    openssl s_client -cipher NULL -connect vapp0001:20394

     

     

     

     

    Other examples:

     

    Success:

    openssl s_client -cipher EDH -connect vapp0001:20394

     

    Fail:

    openssl s_client -cipher ECDH -connect vapp0001:20394

     

     

     

     

     

    Best example of success for latest release of TLSv1.2

     

    openssl s_client -cipher TLSv1.2 -connect vapp0001:20394

     

     

     

     

     

    To directly view the CA Directory cipher used (if changed from defaults), you may view these files:

     

    DXHOME/config/ssld/default.dxc

     

    DXHOME/config/ssld/impd.dxc

     

     

     

    To view all active CA Directory DSA cipher, open a DXconsole, and issue the command : get ciphers;

    - Or add this setting to CA Directory setting <dsa name>.dxc and issue a dxserver init <dsa name>

    - Then view the <dsa-name>-trace.logs.

     

     

     

    Ref:  Encryption Formats for SSL - CA Directory - 12.6 - CA Technologies Documentation 

     

     

     

     

    Example to reduce ciphers to TLSv1.2 for CA Directory DSA upon startup:

     

    Edit the DXHOME/config/ssld/impd.dxc   (or default.dxc)

    - Update the set ssl = {  section as shown

     

     

    Validate working with the -d switch for    dxserver -d start  <dsa_name>

    - should only see validate TLSv1.2 ciphers.

     

     

     

    Cheers,

     

    Alan