• 3
name
name Punditsdkoslkdosdkoskdo

How do I configure xcat to not use weak ciphers?

My vulnerability scanner is taking issue with the SSL config in the xcatd service running on port 3001. The scanner is able to make the following connections:

Medium Strength Ciphers (>= 56-bit and < 112-bit key)

SSLv3 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1
TLSv1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1

The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}

This is a reference good configuration for a popular web server, but I'm not sure how to translate it to xcat:

SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
ssl

The xcat configuration setting xcatsslciphers corresponds to the IO::Socket::SSL configuration setting SSL_Cipher_list, which takes the exact same input as the SSLCipherSuite directive in Apache.

sudo sqlite3 /etc/xcat/site.sqlite

insert into site (key, value) VALUES ('xcatsslciphers', 'ALL:!ADH:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM');

You can then verify config value as follows:

select * from site order by key;
.exit

Restart xcat:

sudo service xcatd restart

Verify security:

openssl s_client -connect localhost:3001 -cipher DES-CBC-SHA -tls1

You should not see a certificate come up.

  • 0
Reply Report

Warm tip !!!

This article is reproduced from Stack Exchange / Stack Overflow, please click

Trending Tags