Ignition Security - disable TLSv1

Sammy5 · June 19, 2017, 5:58pm

Is it currently possible to disable TLSv1 and only use 1.1 or 1.2?

Kevin.Herron · June 19, 2017, 6:01pm

Yes, you can add the following JVM flag to ignition.conf and restart the gateway:

-DexcludedCiphers=TLSv1

This accepts a comma-separated list of exclusions if you need to exclude more.

KathyApplebaum · June 19, 2017, 7:58pm

Just be aware that if you disable TLSv1, you won’t be able to use any clients running on Java 6.

Sammy5 · June 20, 2017, 1:24pm

The "-DexcludedCiphers=TLSv1" exclude worked, and yes by disabling TLSv1 it also insures the client end to upgrade their Java as well so that is not a problem.

Now one other issue I have found. Previously I had the following;
wrapper.java.additional.6=-> Dciphers=TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256

However when doing Digicert lookup it showed the following;

TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
Which I would not want enabled. This is in /etc/ignition/ignition.conf. Is there another config file where it is reading the ciphers to use?

KathyApplebaum · June 20, 2017, 1:30pm

No, there’s no other file. However, you can include both ciphers and protocols in your excluded ciphers list, as comma separated values.

Sammy5 · June 20, 2017, 1:46pm

Kathy thanks for a quick reply!

I think I am doing something wrong, because the following ciphers are still showing up (or the test is wrong). I am using https://cryptoreport.websecurity.symantec.com/checker/ for a quick test. What I have in ignition.conf exactly is;

wrapper.java.additional.8=-Dciphers=TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256

wrapper.java.additional.8=-DexcludedCiphers=TLSv1,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA

This is ideally what I am targeting, but I am still showing after restart:
Cipher suites enabled:
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000A)
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)

Should I include the ciphers on a separate line from the protocol exclusion?

KathyApplebaum · June 20, 2017, 5:58pm

Looks like those two are supported by TLS v1.2, so yeah, you’ll need to exclude them specifically. Exclude them on the same line, but IIRC sometimes you need to use an alias, so also try excluding DES-CBC3-SHA and DHE-RSA-DES-CBC3-SHA to see if that helps.

Sammy5 · June 26, 2017, 1:26pm

So I have now tried this;
wrapper.java.additional.5=-DexcludedCiphers=TLSv1,DES-CBC3-SHA,DHE-RSA-DES-CBC3-SHA

While TLSv1 is now disabled, ssl security scan shows that DES and 3DES are still an option. Is there another method or am I possibly using the wrong name for the ciphers?