Security

Reply
Highlighted
Accepted Solution

Configuring TLS 1.2 and ciphersuites in NIOS 8.0

[ Edited ]
Adviser
Posts: 131
11263     9

A lot of Infoblox customers have asked for the capability to have NIOS use TLS 1.2 for the HTTPS connection from an administrator's browser to the NIOS web interface presented by the grid master. They've also asked for the ability to disable the use of RC4 and other weak ciphers in HTTPS connections to the NIOS web interface. I'm happy to report that both capabilities are now available in NIOS 8.0, which was just released to the Infoblox support site. (These capabilities also apply to API connections, which also use HTTPS.)

 

I was playing around with this on my demo grid, and I thought I'd pass on the results of my testing so that you can save yourself some time searching through the documentation and avoid some of the confusion I created for myself. There are three cases I address, depending on how sophisticated you want or need to be in configuring TLS.

 

Basic Usage

 

For most uses the default TLS configuration in NIOS 8.0 is fine and need not be changed:

 

  • By default HTTPS connections support TLS 1.0, 1.1, and 1.2.
  • By default HTTPS connections do not support the use of RC4 or DES.

 If your browser supports TLS 1.2 and prefers it to TLS 1.1 or 1.0 then you will automatically get a TLS 1.2 connection with a relatively strong ciphersuite.

 

Intermediate Usage

 

In some cases you may wish to disable the use of TLS 1.0 and 1.1 entirely, and force browsers to use (only) TLS 1.2. This can be done using two new CLI commands, "set ssl_tls_settings" and "set ssl_tls_protocols". (There is no comparable way in the web interface to set this; you need to use the CLI.) These commands need to be executed on the grid master (only).

 

The CLI command "set ssl_tls_settings" determines whether you are using the default TLS configuration (see above) or if you want to override the default. Once you override the default configuration you can then use the command "set ssl_tls_protocols" to disable or enable particular TLS versions. Here's the default configuration in NIOS 8.0 as shipped:

 

Infoblox > show ssl_tls_settings
SSL/TLS settings: default
Use 'ssl_tls_protocols' and 'ssl_tls_ciphers' to see current settings
Infoblox > show ssl_tls_protocols
TLSv1.0 TLSv1.1 TLSv1.2

 

If you want to disable TLS 1.0 and 1.1 then execute the following commands:

 

Infoblox > set ssl_tls_settings override
The following services need to be restarted manually: GUI
Infoblox > set ssl_tls_protocols disable TLSv1.0
TLSv1.0 was disabled. Current configuration: TLSv1.1 TLSv1.2
The following services need to be restarted manually: GUI
Infoblox > set ssl_tls_protocols disable TLSv1.1
TLSv1.1 was disabled. Current configuration: TLSv1.2
The following services need to be restarted manually: GUI
Infoblox > 

 

The message about restarting the GUI is somewhat confusing. As far as I can tell there's nothing you need to do on the Infoblox end. You simply need to start a new HTTPS session to the grid master in your browser.

 

Advanced Usage

 

If your site has especially stringent requirements for TLS, or if you're the sort of person who likes to test your web sites against the Qualys SSL Labs server test, then you may want to exercise more fine-grained control over the TLS ciphersuites used by the web interface. You can do this using the CLI command "set ssl_tls_ciphers".

 

WARNING: If you use this command it is possible to put your web interface into a state where no browser can connect to it, because the browser and the web server cannot negotiate a common ciphersuite. If this happens to you, you can either continue to tweak the settings using "set ssl_tls_ciphers", or you can use the command "set ssl_tls_settings default" to return the system to the default TLS configuration while you figure out what you did wrong.

 

Here is the default set of ciphersuites as shipped; these are ordered from top to bottom, with earlier ciphersuites being preferred to later ones:

 

Infoblox > show ssl_tls_ciphers
  1. TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 enabled 
  2. TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 enabled 
  3. TLS_DHE_RSA_WITH_AES_128_CBC_SHA    enabled 
  4. TLS_DHE_RSA_WITH_AES_256_CBC_SHA    enabled 
  5. TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 enabled 
  6. TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 enabled 
  7. TLS_RSA_WITH_AES_128_GCM_SHA256     enabled 
  8. TLS_RSA_WITH_AES_128_CBC_SHA        enabled 
  9. TLS_RSA_WITH_AES_128_CBC_SHA256     enabled 
 10. TLS_RSA_WITH_3DES_EDE_CBC_SHA       enabled 
 11. TLS_RSA_WITH_AES_256_GCM_SHA384     enabled 
 12. TLS_RSA_WITH_AES_256_CBC_SHA        enabled 
 13. TLS_RSA_WITH_AES_256_CBC_SHA256     enabled 
     TLS_DHE_DSS_WITH_AES_256_CBC_SHA    disabled
     TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA    disabled
     TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA    disabled
     TLS_DHE_DSS_WITH_AES_128_CBC_SHA    disabled
     TLS_RSA_WITH_RC4_128_SHA            disabled
     TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 disabled
     TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 disabled
     TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 disabled
     TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 disabled
Infoblox>

 

The ciphersuite names are those used in the RFC documents for TLS. A number of documents on the web instead reference the ciphersuite names used by OpenSSL. Here's a list of how the RFC names map to the OpenSSL names:

 

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256     DHE-RSA-AES128-GCM-SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384     DHE-RSA-AES256-GCM-SHA384
TLS_DHE_RSA_WITH_AES_128_CBC_SHA            DHE-RSA-AES128-SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA            DHE-RSA-AES256-SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256      DHE-RSA-AES128-SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256      DHE-RSA-AES256-SHA256
TLS_RSA_WITH_AES_128_GCM_SHA256               AES128-GCM-SHA256
TLS_RSA_WITH_AES_128_CBC_SHA                      AES128-SHA
TLS_RSA_WITH_AES_128_CBC_SHA256                AES128-SHA256
TLS_RSA_WITH_3DES_EDE_CBC_SHA                  DES-CBC3-SHA
TLS_RSA_WITH_AES_256_GCM_SHA384               AES256-GCM-SHA384
TLS_RSA_WITH_AES_256_CBC_SHA                      AES256-SHA
TLS_RSA_WITH_AES_256_CBC_SHA256                AES256-SHA256
TLS_DHE_DSS_WITH_AES_256_CBC_SHA            DHE-DSS-AES256-SHA
TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA           DH-RSA-DES-CBC3-SHA
TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA           DH-DSS-DES-CBC3-SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA            DHE-DSS-AES128-SHA
TLS_RSA_WITH_RC4_128_SHA                               RC4-SHA
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384     DHE-DSS-AES256-GCM-SHA384
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256      DHE-DSS-AES256-SHA256
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256     DHE-DSS-AES128-GCM-SHA256
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256      DHE-DSS-AES128-SHA256

 

As an example of how to change the ciphersuites, suppose that for some reason you needed to re-enable the use of RC4. You could do this as follows:

 

Infoblox > set ssl_tls_settings override
The following services need to be restarted manually: GUI
Infoblox > set ssl_tls_ciphers enable TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_SHA was enabled
The following services need to be restarted manually: GUI
Infoblox > show ssl_tls_ciphers
  1. TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 enabled 
  2. TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 enabled 
  3. TLS_DHE_RSA_WITH_AES_128_CBC_SHA    enabled 
  4. TLS_DHE_RSA_WITH_AES_256_CBC_SHA    enabled 
  5. TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 enabled 
  6. TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 enabled 
  7. TLS_RSA_WITH_AES_128_GCM_SHA256     enabled 
  8. TLS_RSA_WITH_AES_128_CBC_SHA        enabled 
  9. TLS_RSA_WITH_AES_128_CBC_SHA256     enabled 
 10. TLS_RSA_WITH_3DES_EDE_CBC_SHA       enabled 
 11. TLS_RSA_WITH_AES_256_GCM_SHA384     enabled 
 12. TLS_RSA_WITH_AES_256_CBC_SHA        enabled 
 13. TLS_RSA_WITH_AES_256_CBC_SHA256     enabled 
 14. TLS_RSA_WITH_RC4_128_SHA            enabled
     TLS_DHE_DSS_WITH_AES_256_CBC_SHA    disabled
     TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA    disabled
     TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA    disabled
     TLS_DHE_DSS_WITH_AES_128_CBC_SHA    disabled
     TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 disabled
     TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 disabled
     TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 disabled
     TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 disabled
Infoblox >

 

By default any ciphersuites you enable get appended to the list of already-enabled ciphersuites, so that the RC4 ciphersuite goes into position 14 in the list. It will be used only if none of the other cipher suites are usable by the connecting browser. (You can also force the new ciphersuite to go into a particular position in the list by adding a position number at the end of the command, after the ciphersuite name.)

 

Suppose you then want to disable the use of RC4 again. You can do this as follows:

 

Infoblox > set ssl_tls_ciphers disable 14
TLS_RSA_WITH_RC4_128_SHA was disabled
The following services need to be restarted manually: GUI
Infoblox > 

 

Note that (unlike enabling) you disable cipher suites by referencing their current position in the list, not by referencing their names.

 

A final thought: There are some useful references on the web regarding recommended ciphersuites, including the SSL Labs document "SSL and TLS Deployment Best Practices" and the Mozilla document "Security/Server Side TLS". However be aware that NIOS does not currently support some of the newer ciphersuites referenced in these documents, including in particular the "ECDHE" ciphersuites. Also, if you disable all the non-DHE RSA ciphersuites (as implied by the SSL Labs document) then you will cause problems for Safari, Chrome, and possibly other browsers. So proceed with caution, and test all the browsers you are likely to use.

Re: Configuring TLS 1.2 and ciphersuites in NIOS 8.0

Expert
Posts: 228
11264     9

Excellent article.  Thanks, Frank!

Re: Configuring TLS 1.2 and ciphersuites in NIOS 8.0

Authority
Posts: 25
11264     9

Do we know if there's any way to disable or tweak the HTTP Strict Transport Security (HSTS) settings that got added in NIOS 8.3?

https://docs.infoblox.com/display/nios83/What%27s+New

 

I've been doing some testing with custom certs lately and I keep getting myself locked out because modern browsers are trying to respect the HSTS settings.

Re: Configuring TLS 1.2 and ciphersuites in NIOS 8.0

[ Edited ]
negan16
Techie
Posts: 3
11264     9

my site no longer open on internet explorer IE. Is there a way to correct that?

 

 

______________________________________________

Mini Militia App Lock 7Zip

Showing results for 
Search instead for 
Do you mean 

Recommended for You

Demo: Infoblox IPAM plug-in integration with OpenStack Newton