Issue
Users may need to adjust the list of SSL/TLS ciphers in use for NMC web access on the NMC, to comply with local security policies, changes in browser compatibility, or to reflect ever-changing best practices.
Product Line
Network Management Card 2 – AP9630/CH, AP9631/CH, AP9635/CH
Devices with an embedded Network Management Card 2 include (but are not limited to): 2G Metered/Switched Rack PDUs (AP84XX, AP86XX, AP88XX, AP89XX), Rack Automatic Transfer Switches (AP44XX), Certain Audio/Video Network Management Enabled products, Smart-UPS Online (SRT).
Environment
AOS versions 6.6.4 onwards.
Resolution
Via the NMC command line:
Issue the “cipher” command to show the current enabled set, or “cipher help” for usage notes.
eg;
Prior to 6.8.0, each option (eg -rc4) toggled the current state; these are now explicitly deterministic.
Reboot to commit changes.
Example:
List current settings, showing that all available are enabled (as default):
Disable RC4 cipher and RSA key-exchange:
List new settings, confirming expected changes:
Using INI files (eg, for mass configuration):
Using the web interface:
These settings are not yet exposed via the web UI.
Troubleshooting:
Be aware that disabling ciphers may affect browser compatibility; SSL/TLS will be unusable to the user unless their browser and the NMC have at least one cipher suite in common. Browser errors such as "ssl_error_no_cypher_overlap" or "err_ssl_version_or_cipher_mismatch" would indicate such an incompatibility.
Users may need to adjust the list of SSL/TLS ciphers in use for NMC web access on the NMC, to comply with local security policies, changes in browser compatibility, or to reflect ever-changing best practices.
Product Line
Network Management Card 2 – AP9630/CH, AP9631/CH, AP9635/CH
Devices with an embedded Network Management Card 2 include (but are not limited to): 2G Metered/Switched Rack PDUs (AP84XX, AP86XX, AP88XX, AP89XX), Rack Automatic Transfer Switches (AP44XX), Certain Audio/Video Network Management Enabled products, Smart-UPS Online (SRT).
Environment
AOS versions 6.6.4 onwards.
Resolution
Via the NMC command line:
Issue the “cipher” command to show the current enabled set, or “cipher help” for usage notes.
eg;
apc>cipher help
Usage: cipher -- Configuration Options
Note: The minimal protocol setting is not considered when showing
the available ciphers.
cipher [-aes (enable | disable)] (AES)
[-dh (enable | disable)] (DH)
[-rsake (enable | disable)] (RSA Key Exchange)
[-rsaau (enable | disable)] (RSA Authentication)
[-sha1 (enable | disable)] (SHA)
[-sha2 (enable | disable)] (SHA256)
[-ecdhe (enable | disable)] (ECDHE)
Note:Prior to 6.8.0, each option (eg -rc4) toggled the current state; these are now explicitly deterministic.
Reboot to commit changes.
Example:
List current settings, showing that all available are enabled (as default):
>cipher
E000: Success
Key Exchange Algorithms
-----------------------
DH enabled
RSA Key Exchange enabled
Authentication Algorithms
-------------------------
(Warning: disabling the only algorithm in category
will block all SSL/TLS sessions)
RSA Authentication enabled
Block Cipher Algorithms
-----------------------
triple-DES enabled
RC4 enabled
AES enabled
MAC Algorithms
--------------
MD5 enabled
SHA enabled
SHA256 enabled
[...]
Disable RC4 cipher and RSA key-exchange:
>cipher -rc4 disable
E002: Success
>cipher -rsake disable
E002: Success
List new settings, confirming expected changes:
>cipher
E000: Success
Key Exchange Algorithms
-----------------------
DH enabled
RSA Key Exchange disabled
Authentication Algorithms
-------------------------
(Warning: disabling the only algorithm in category
will block all SSL/TLS sessions)
RSA Authentication enabled
Block Cipher Algorithms
-----------------------
triple-DES enabled
RC4 disabled
AES enabled
MAC Algorithms
--------------
MD5 enabled
SHA enabled
SHA256 enabled
[...]
Using INI files (eg, for mass configuration):
[CryptographicAlgorithms]
;Warning: Changing these values can affect system access.
TripleDES=enabled
RC4=disabled
AES=enabled
DH=enabled
RSA_KE=disabled
RSA_Auth=enabled
MD5=enabled
SHA=enabled
SHA256=enabled
Using the web interface:
These settings are not yet exposed via the web UI.
Troubleshooting:
Be aware that disabling ciphers may affect browser compatibility; SSL/TLS will be unusable to the user unless their browser and the NMC have at least one cipher suite in common. Browser errors such as "ssl_error_no_cypher_overlap" or "err_ssl_version_or_cipher_mismatch" would indicate such an incompatibility.