11-18-2016 12:28 PM
Got dinged by InfoSec for the Sweet32 issue recently. I reviewed the ArubaOS hardening guide and confirmed that we are running the default `web-server profile ciphers high` configuration. The cipher suites in question are: TLS_RSA_WITH_3DES_EDE_CBC_SHA & TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA. I can't find any mention of deprecating those suites in any recent release notes. Is there anyway to disable them manually?
11-21-2016 11:39 AM
This should have been resolved under bug 127301 in the following versions:
I didn't have a look at the release notes to see if/how this was documented though...
Here is the actual source code where the ciphersuites are defined, so you can see what is included. The intent here was to make the non-FIPS version of software behave just like the FIPS version of software. As you'll see, 3DES has been removed:
#define HIGH_CIPHER_SUITE "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA" #define MEDIUM_CIPHER_SUITE "IDEA-CBC-SHA:RC4-SHA:RC4-MD5:IDEA-CBC-MD5:RC2-CBC-MD5" #define LOW_CIPHER_SUITE "DES-CBC-SHA:DES-CBC-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA"
Jon Green, ACMX, CISSP
11-21-2016 11:47 AM
Thanks, Jon. I just enumerated ciphers on a couple boxes running 126.96.36.199. They are working as you have described. Thanks for the code snippet. That should be enough to shake the security guys ;).