• 3
name

A PHP Error was encountered

Severity: Notice

Message: Undefined index: userid

Filename: views/question.php

Line Number: 191

Backtrace:

File: /home/prodcxja/public_html/questions/application/views/question.php
Line: 191
Function: _error_handler

File: /home/prodcxja/public_html/questions/application/controllers/Questions.php
Line: 433
Function: view

File: /home/prodcxja/public_html/questions/index.php
Line: 315
Function: require_once

name Punditsdkoslkdosdkoskdo

How do I configure xcat to not use weak ciphers?

My vulnerability scanner is taking issue with the SSL config in the xcatd service running on port 3001. The scanner is able to make the following connections:

Medium Strength Ciphers (>= 56-bit and < 112-bit key)

SSLv3 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1
TLSv1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1

The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}

This is a reference good configuration for a popular web server, but I'm not sure how to translate it to xcat:

SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
ssl

The xcat configuration setting xcatsslciphers corresponds to the IO::Socket::SSL configuration setting SSL_Cipher_list, which takes the exact same input as the SSLCipherSuite directive in Apache.

sudo sqlite3 /etc/xcat/site.sqlite

insert into site (key, value) VALUES ('xcatsslciphers', 'ALL:!ADH:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM');

You can then verify config value as follows:

select * from site order by key;
.exit

Restart xcat:

sudo service xcatd restart

Verify security:

openssl s_client -connect localhost:3001 -cipher DES-CBC-SHA -tls1

You should not see a certificate come up.

  • 0
Reply Report

Trending Tags