Learn How We Can Help You Keep Teleworkers Protected During the COVID-19 Crisis

Security

Reply
Highlighted
Accepted Solution

Configuring TLS 1.2 and ciphersuites in NIOS 8.0

[ Edited ]
Adviser
Posts: 135
425     0

A lot of Infoblox customers have asked for the capability to have NIOS use TLS 1.2 for the HTTPS connection from an administrator's browser to the NIOS web interface presented by the grid master. They've also asked for the ability to disable the use of RC4 and other weak ciphers in HTTPS connections to the NIOS web interface. I'm happy to report that both capabilities are now available in NIOS 8.0, which was just released to the Infoblox support site. (These capabilities also apply to API connections, which also use HTTPS.)

 

I was playing around with this on my demo grid, and I thought I'd pass on the results of my testing so that you can save yourself some time searching through the documentation and avoid some of the confusion I created for myself. There are three cases I address, depending on how sophisticated you want or need to be in configuring TLS.

 

Basic Usage

 

For most uses the default TLS configuration in NIOS 8.0 is fine and need not be changed:

 

  • By default HTTPS connections support TLS 1.0, 1.1, and 1.2.
  • By default HTTPS connections do not support the use of RC4 or DES.

 If your browser supports TLS 1.2 and prefers it to TLS 1.1 or 1.0 then you will automatically get a TLS 1.2 connection with a relatively strong ciphersuite.

 

Intermediate Usage

 

In some cases you may wish to disable the use of TLS 1.0 and 1.1 entirely, and force browsers to use (only) TLS 1.2. This can be done using two new CLI commands, "set ssl_tls_settings" and "set ssl_tls_protocols". (There is no comparable way in the web interface to set this; you need to use the CLI.) These commands need to be executed on the grid master (only).

 

The CLI command "set ssl_tls_settings" determines whether you are using the default TLS configuration (see above) or if you want to override the default. Once you override the default configuration you can then use the command "set ssl_tls_protocols" to disable or enable particular TLS versions. Here's the default configuration in NIOS 8.0 as shipped:

 

Infoblox > show ssl_tls_settings
SSL/TLS settings: default
Use 'ssl_tls_protocols' and 'ssl_tls_ciphers' to see current settings
Infoblox > show ssl_tls_protocols
TLSv1.0 TLSv1.1 TLSv1.2

 

If you want to disable TLS 1.0 and 1.1 then execute the following commands:

 

Infoblox > set ssl_tls_settings override
The following services need to be restarted manually: GUI
Infoblox > set ssl_tls_protocols disable TLSv1.0
TLSv1.0 was disabled. Current configuration: TLSv1.1 TLSv1.2
The following services need to be restarted manually: GUI
Infoblox > set ssl_tls_protocols disable TLSv1.1
TLSv1.1 was disabled. Current configuration: TLSv1.2
The following services need to be restarted manually: GUI
Infoblox > 

 

The message about restarting the GUI is somewhat confusing. As far as I can tell there's nothing you need to do on the Infoblox end. You simply need to start a new HTTPS session to the grid master in your browser.

 

Advanced Usage

 

If your site has especially stringent requirements for TLS, or if you're the sort of person who likes to test your web sites against the Qualys SSL Labs server test, then you may want to exercise more fine-grained control over the TLS ciphersuites used by the web interface. You can do this using the CLI command "set ssl_tls_ciphers".

 

WARNING: If you use this command it is possible to put your web interface into a state where no browser can connect to it, because the browser and the web server cannot negotiate a common ciphersuite. If this happens to you, you can either continue to tweak the settings using "set ssl_tls_ciphers", or you can use the command "set ssl_tls_settings default" to return the system to the default TLS configuration while you figure out what you did wrong.

 

Here is the default set of ciphersuites as shipped; these are ordered from top to bottom, with earlier ciphersuites being preferred to later ones:

 

Infoblox > show ssl_tls_ciphers
  1. TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 enabled 
  2. TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 enabled 
  3. TLS_DHE_RSA_WITH_AES_128_CBC_SHA    enabled 
  4. TLS_DHE_RSA_WITH_AES_256_CBC_SHA    enabled 
  5. TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 enabled 
  6. TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 enabled 
  7. TLS_RSA_WITH_AES_128_GCM_SHA256     enabled 
  8. TLS_RSA_WITH_AES_128_CBC_SHA        enabled 
  9. TLS_RSA_WITH_AES_128_CBC_SHA256     enabled 
 10. TLS_RSA_WITH_3DES_EDE_CBC_SHA       enabled 
 11. TLS_RSA_WITH_AES_256_GCM_SHA384     enabled 
 12. TLS_RSA_WITH_AES_256_CBC_SHA        enabled 
 13. TLS_RSA_WITH_AES_256_CBC_SHA256     enabled 
     TLS_DHE_DSS_WITH_AES_256_CBC_SHA    disabled
     TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA    disabled
     TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA    disabled
     TLS_DHE_DSS_WITH_AES_128_CBC_SHA    disabled
     TLS_RSA_WITH_RC4_128_SHA            disabled
     TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 disabled
     TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 disabled
     TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 disabled
     TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 disabled
Infoblox>

 

The ciphersuite names are those used in the RFC documents for TLS. A number of documents on the web instead reference the ciphersuite names used by OpenSSL. Here's a list of how the RFC names map to the OpenSSL names:

 

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256     DHE-RSA-AES128-GCM-SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384     DHE-RSA-AES256-GCM-SHA384
TLS_DHE_RSA_WITH_AES_128_CBC_SHA            DHE-RSA-AES128-SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA            DHE-RSA-AES256-SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256      DHE-RSA-AES128-SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256      DHE-RSA-AES256-SHA256
TLS_RSA_WITH_AES_128_GCM_SHA256               AES128-GCM-SHA256
TLS_RSA_WITH_AES_128_CBC_SHA                      AES128-SHA
TLS_RSA_WITH_AES_128_CBC_SHA256                AES128-SHA256
TLS_RSA_WITH_3DES_EDE_CBC_SHA                  DES-CBC3-SHA
TLS_RSA_WITH_AES_256_GCM_SHA384               AES256-GCM-SHA384
TLS_RSA_WITH_AES_256_CBC_SHA                      AES256-SHA
TLS_RSA_WITH_AES_256_CBC_SHA256                AES256-SHA256
TLS_DHE_DSS_WITH_AES_256_CBC_SHA            DHE-DSS-AES256-SHA
TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA           DH-RSA-DES-CBC3-SHA
TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA           DH-DSS-DES-CBC3-SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA            DHE-DSS-AES128-SHA
TLS_RSA_WITH_RC4_128_SHA                               RC4-SHA
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384     DHE-DSS-AES256-GCM-SHA384
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256      DHE-DSS-AES256-SHA256
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256     DHE-DSS-AES128-GCM-SHA256
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256      DHE-DSS-AES128-SHA256

 

As an example of how to change the ciphersuites, suppose that for some reason you needed to re-enable the use of RC4. You could do this as follows:

 

Infoblox > set ssl_tls_settings override
The following services need to be restarted manually: GUI
Infoblox > set ssl_tls_ciphers enable TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_SHA was enabled
The following services need to be restarted manually: GUI
Infoblox > show ssl_tls_ciphers
  1. TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 enabled 
  2. TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 enabled 
  3. TLS_DHE_RSA_WITH_AES_128_CBC_SHA    enabled 
  4. TLS_DHE_RSA_WITH_AES_256_CBC_SHA    enabled 
  5. TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 enabled 
  6. TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 enabled 
  7. TLS_RSA_WITH_AES_128_GCM_SHA256     enabled 
  8. TLS_RSA_WITH_AES_128_CBC_SHA        enabled 
  9. TLS_RSA_WITH_AES_128_CBC_SHA256     enabled 
 10. TLS_RSA_WITH_3DES_EDE_CBC_SHA       enabled 
 11. TLS_RSA_WITH_AES_256_GCM_SHA384     enabled 
 12. TLS_RSA_WITH_AES_256_CBC_SHA        enabled 
 13. TLS_RSA_WITH_AES_256_CBC_SHA256     enabled 
 14. TLS_RSA_WITH_RC4_128_SHA            enabled
     TLS_DHE_DSS_WITH_AES_256_CBC_SHA    disabled
     TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA    disabled
     TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA    disabled
     TLS_DHE_DSS_WITH_AES_128_CBC_SHA    disabled
     TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 disabled
     TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 disabled
     TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 disabled
     TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 disabled
Infoblox >

 

By default any ciphersuites you enable get appended to the list of already-enabled ciphersuites, so that the RC4 ciphersuite goes into position 14 in the list. It will be used only if none of the other cipher suites are usable by the connecting browser. (You can also force the new ciphersuite to go into a particular position in the list by adding a position number at the end of the command, after the ciphersuite name.)

 

Suppose you then want to disable the use of RC4 again. You can do this as follows:

 

Infoblox > set ssl_tls_ciphers disable 14
TLS_RSA_WITH_RC4_128_SHA was disabled
The following services need to be restarted manually: GUI
Infoblox > 

 

Note that (unlike enabling) you disable cipher suites by referencing their current position in the list, not by referencing their names.

 

A final thought: There are some useful references on the web regarding recommended ciphersuites, including the SSL Labs document "SSL and TLS Deployment Best Practices" and the Mozilla document "Security/Server Side TLS". However be aware that NIOS does not currently support some of the newer ciphersuites referenced in these documents, including in particular the "ECDHE" ciphersuites. Also, if you disable all the non-DHE RSA ciphersuites (as implied by the SSL Labs document) then you will cause problems for Safari, Chrome, and possibly other browsers. So proceed with caution, and test all the browsers you are likely to use.

Highlighted

Re: Configuring TLS 1.2 and ciphersuites in NIOS 8.0

Expert
Posts: 236
425     0

Excellent article.  Thanks, Frank!

Highlighted

Re: Configuring TLS 1.2 and ciphersuites in NIOS 8.0

Authority
Posts: 43
425     0

Do we know if there's any way to disable or tweak the HTTP Strict Transport Security (HSTS) settings that got added in NIOS 8.3?

https://docs.infoblox.com/display/nios83/What%27s+New

 

I've been doing some testing with custom certs lately and I keep getting myself locked out because modern browsers are trying to respect the HSTS settings.

Highlighted

Re: Configuring TLS 1.2 and ciphersuites in NIOS 8.0

Adviser
Posts: 135
425     0

I was just looking at this post and realized I never answered this question about what to do if browser HSTS settings are preventing you from logging in to the web GUI. (For example, this can occur if you put a CA-issued TLS certificate on the grid master, and the certificate expires.)

 

In that situation I have been able to recover by connecting to the web GUI using the grid master's IP address instead of its FQDN, e.g., "https://192.168.0.11" vs. "https://gm.example.com".

Highlighted

Re: Configuring TLS 1.2 and ciphersuites in NIOS 8.0

Authority
Posts: 43
425     0

Sure, there are ways to workaround the problem in the browser that I ended up figuring out. But I'm still hoping there is or will eventually be a way to change the configuration on the Infoblox side so I no longer need the browser workaround.

Highlighted

Re: Configuring TLS 1.2 and ciphersuites in NIOS 8.0

Adviser
Posts: 135
426     0

My apologies for the belated reply. To my knowledge the only way to work around HSTS issues on the Infoblox (web server) side is to install a valid TLS server certificate that the browser can validate. (In other words, the certificate must chain up to a root CA certificate that comes pre-loaded with the browser or that can be imported into it.

 

You can use the Let's Encrypt service to issue TLS server certificates for Infoblox grid masters, if you don't have an enterprise Certificate Authority. You create a Certificate Signing Request from the Infoblox GUI, with a common name referencing the FQDN of the grid master. Then you use the Let's Encrypt certbot command to issue a certificate for the CSR, using the DNS challenge mechanism. To validate your ownership of the enterprise domain you'll need to add special TXT records to the (external) zone for the enterprise; the certbot utility will tell you the values of the TXT records. Then once the certificate is issued you can import it into the grid master.

 

Frank

 

Highlighted

Re: Configuring TLS 1.2 and ciphersuites in NIOS 8.0

[ Edited ]
Authority
Posts: 43
426     0

Thanks Frank. No worries on the delay. I'm actually quite familiar with Let's Encrypt having written my own PowerShell client for it called Posh-ACME. Ironically, it was during the development of that client and my subsequent attempts to import the resulting certs to the grid that I ran into the HSTS issues to begin with.

 

Still hoping eventually for a CLI command or API method to tell the grid not to send the HSTS header at all. Having it on is obviously the best default, but having the ability to selectively turn it off would be great too. I just need to find a large enough customer to push an RFE.

Showing results for 
Search instead for 
Do you mean 

Recommended for You