Wired Intelligent Edge

last person joined: yesterday 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Back to discussions
Expand all | Collapse all

How to strengthen cipher suites for HTTPS on ArubaOS-Switches

This thread has been viewed 22 times

  • 1.  How to strengthen cipher suites for HTTPS on ArubaOS-Switches

    EMPLOYEE
    Posted Nov 09, 2018 05:21 PM

    During establishing https session client and server negotiate security settings for authentication, encryption, MAC. These security suites also known as cipher suite fully listed in https://www.openssl.org/docs/manmaster/man1/ciphers.html. Some of them use 3DES. It is considered proven that 3DES ciphers are vulnerable to SWEET32 attack (https://sweet32.info). If you want to avoid negotiating 3DES cipher suites you can


    1. Use client that does not negotiate 3DES
    2. Disable 3DES cipher suites on server side


    When admin connect to ArubaOS-Swtches GUI from browser the switch acts as a https-server. To disable 3DES cipher suite on ArubaOS-Swithes the following commands could be used:

     

    tls application all lowest-version tls1.2 disable-cipher des3-cbc-sha
    tls application all lowest-version tls1.2 disable-cipher ecdh-ecdsa-des-cbc3-sha
    tls application all lowest-version tls1.2 disable-cipher ecdh-rsa-des-cbc3-sha
    tls application all lowest-version tls1.2 disable-cipher ecdhe-ecdsa-des-cbc3-sha
    tls application all lowest-version tls1.2 disable-cipher ecdhe-rsa-des-cbc3-sha

     

    Below what can you get before applying commands:

    ##############
    C:\Program Files (x86)\Nmap>nmap --script ssl-cert,ssl-enum-ciphers -p 443 172.16.0.253
    Starting Nmap 7.70 ( https://nmap.org ) at 2018-11-09 15:28 Russia TZ 2 Standard Time
    Nmap scan report for 172.16.0.253
    Host is up (0.00s latency).

    PORT STATE SERVICE
    443/tcp open https
    | ssl-cert: Subject: commonName=ARUBATEST/countryName=RU
    | Issuer: commonName=ARUBATEST/countryName=RU
    | Public Key type: rsa
    | Public Key bits: 2048
    | Signature Algorithm: sha256WithRSAEncryption
    | Not valid before: 1990-01-01T02:05:23
    | Not valid after: 1991-01-01T23:59:59
    | MD5: 4a9c 08c3 0cd3 e029 36e1 5493 0ea6 ac6b
    |_SHA-1: d5fb 554e c3d6 8ec0 0a25 6d7f 8371 f326 df7d a49d
    | ssl-enum-ciphers:
    | TLSv1.2:
    | ciphers:
    | TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
    | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
    | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
    | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
    | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
    | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
    | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
    | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
    | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
    | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
    | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
    | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
    | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
    | TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C
    | compressors:
    | NULL
    | cipher preference: server
    | warnings:
    | 64-bit block cipher 3DES vulnerable to SWEET32 attack
    |_ least strength: C
    MAC Address: xx:xx:xx:xx:xx:xx (Unknown)
    ############

     

    Note the warnings: "64-bit block cipher 3DES vulnerable to SWEET32 attack"
    And a pair of 3DES cipher suites:
    TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
    TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C


    Here what can you get after commands are applied

    ############
    C:\Program Files (x86)\Nmap>nmap --script ssl-cert,ssl-enum-ciphers -p 443 172.16.0.253
    Starting Nmap 7.70 ( https://nmap.org ) at 2018-11-09 15:32 Russia TZ 2 Standard Time
    Nmap scan report for 172.16.0.253
    Host is up (0.00s latency).

    PORT STATE SERVICE
    443/tcp open https
    | ssl-cert: Subject: commonName=ARUBATEST/countryName=RU
    | Issuer: commonName=ARUBATEST/countryName=RU
    | Public Key type: rsa
    | Public Key bits: 2048
    | Signature Algorithm: sha256WithRSAEncryption
    | Not valid before: 1990-01-01T02:05:23
    | Not valid after: 1991-01-01T23:59:59
    | MD5: 4a9c 08c3 0cd3 e029 36e1 5493 0ea6 ac6b
    |_SHA-1: d5fb 554e c3d6 8ec0 0a25 6d7f 8371 f326 df7d a49d
    | ssl-enum-ciphers:
    | TLSv1.2:
    | ciphers:
    | TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
    | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
    | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
    | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
    | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
    | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
    | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
    | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
    | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
    | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
    | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
    | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
    | compressors:
    | NULL
    | cipher preference: server
    |_ least strength: A
    MAC Address: xx:xx:xx:xx:xx:xx (Unknown)

    Nmap done: 1 IP address (1 host up) scanned in 58.86 seconds
    ##############

    Note the absence of warning and no 3DES



  • 2.  RE: How to strengthen cipher suites for HTTPS on ArubaOS-Switches

    Posted Sep 19, 2020 03:08 AM

    After applying your steps, https Web GUI no longer working

    Any miss steps there

    # sh web-management

    Web Management - Server Configuration

    HTTP Access : Enabled
    HTTPS Access : Enabled
    SSL Port : 443
    Idle Timeout : 300 seconds

     

    UPDATE1:
    my mistake, after https web gui not working

    I just need to recreate a new self-signed certificate