Forum Stats

  • 3,827,928 Users
  • 2,260,839 Discussions
  • 7,897,408 Comments

Discussions

Can we configured server side SSL ciphers to put RC4 as the least preferred ?

3022747
3022747 Member Posts: 5
edited Sep 16, 2015 3:50AM in Java System Web Server

We need to cnfigured RC4 as least cipher in our iPlanet 7.0 server.

Can this is possible to specify the order for the enabled ciphers?

If possible can we have any configuration in server.xml or is there any comands to set this order?

Tagged:
3022747

Best Answer

  • Tracey Maycock-Oracle
    Tracey Maycock-Oracle Member Posts: 31
    edited Sep 8, 2015 5:18AM Answer ✓

    Hi,

    You can log the cipher used in a connection into the access log as detailed in the following KM note:

       How To Log SSL Cipher Suites That Are Actually Used In Each Request For Oracle iPlanet Web Server And Web Proxy Server? (Doc ID 1492532.1)

    Please let me know if you can't access that document and I'll post the solution directly here for you.

    regards

    Tracey

Answers

  • Tracey Maycock-Oracle
    Tracey Maycock-Oracle Member Posts: 31
    edited Sep 2, 2015 7:17AM

    Hi,

    There is no options in the iPlanet Web Server to change the order of preference of the SSL ciphers.

    Having said that, the server will choose the most secure cipher that the client offers in the ClientHello, so this shouldn't be a problem.

    If you are really concerned about the security of your Web Server, the advise is:

    - upgrade to the latest version, 7.0.22

    - only enable TLS 1.1 and TLS 1.2

    - remove all RC4 ciphers from the list of available ciphers.

    This should leave your Web Server able to communicate will all recent Clients, which can all use TLS 1.2, and usually negotiate the use of an AES cipher anyway.

    regards

    Tracey

    30227473022747
  • 3022747
    3022747 Member Posts: 5
    edited Sep 4, 2015 10:10AM

    Can we just monitor RC4 use in iPlanet 7 and decide whether to remove it from the list depending on our clients' cipher support ?

    Is there any way to monitor the cipher usage ?Is there any logging option available in iPlanet 7 to identify any RC4 conncetion

  • Tracey Maycock-Oracle
    Tracey Maycock-Oracle Member Posts: 31
    edited Sep 8, 2015 5:18AM Answer ✓

    Hi,

    You can log the cipher used in a connection into the access log as detailed in the following KM note:

       How To Log SSL Cipher Suites That Are Actually Used In Each Request For Oracle iPlanet Web Server And Web Proxy Server? (Doc ID 1492532.1)

    Please let me know if you can't access that document and I'll post the solution directly here for you.

    regards

    Tracey

  • 3022747
    3022747 Member Posts: 5
    edited Sep 9, 2015 3:55AM

    Hi,

    I am not able to access the document.Can you please post the solution here.

    Thanks in advance

  • Tracey Maycock-Oracle
    Tracey Maycock-Oracle Member Posts: 31
    edited Sep 9, 2015 5:58AM

    Hi,

    Here you go:

        For web server 7.0 - Add "%Ses->client.cipher%" to the logging format in the access log, deploy changes and restart the web server.

    Here is an example:

    Init fn=flex-init access="$accesslog" format.access="%Ses->client.ip% - %Req->vars.auth-user% [%SYSDATE%] \"%Req->reqpb.clf-request%\" %Req->srvhdrs.clf-status% %Req->srvhdrs.content-length% %Ses->client.cipher% %Ses->client.keysize% %Ses->client.secret-keysize%"


    Note that you should rotate or delete the existing access file (after backing it up) so that a new one with the updated logging format as the first line will be created.

    This can be done in the Admin GUI on the page:

      Configuration --> General --> Log Preferences --> Access Log Preferences

    If this works ok for you, please make sure you mark this response as the correct answer.

    regards

    Tracey

    3022747
  • 3022747
    3022747 Member Posts: 5
    edited Sep 9, 2015 8:31AM

    Thanks

    It works.

    Can we print the protocol enabled i.e. ssl2 or ssl3  in the server access log. I have found the following command for this.Will it work.

    Can you please confirm.

    %Req->reqpb.clf-request.protocol.name%

  • Tracey Maycock-Oracle
    Tracey Maycock-Oracle Member Posts: 31
    edited Sep 9, 2015 10:25AM

    Hi,

    That parameter relates to the HTTP protocol, and not the SSL Protocol as far as I'm aware.

    I'm not able to find reference to any value that will tell you if its SSLv2 or SSlv3, for example.

    But to be honest, that shouldn't matter, both SSLv2 and SSLv3 should be disabled on any secure Web Server as they are both no longer considered secure.

    All current browsers have both of these disabled by default, so any of your customers that are using browsers that still use these should not allowed access to your Website anyway.

    By keeping these enabled, you are risking the security of your whole site.

    You should only be using TLS 1.0, TLS.1.1 and TLS 1.2 in order to be secure.

    TLS 1.2 uses more secure ciphers by default, and so looking at the cipher used might help you to determine if the request used TLS 1.2 or TLS 1.0.

    regards

    Tracey

  • 3022747
    3022747 Member Posts: 5
    edited Sep 10, 2015 4:21AM

    Hi,

    We want to enable TLS_RSA_WITH_3DES_EDE_CBC_SHA cipher to support IE8/XP .Does this cipher is supported by iPlanet 7 ?

  • Tracey Maycock-Oracle
    Tracey Maycock-Oracle Member Posts: 31
    edited Sep 16, 2015 3:50AM

    Hi,

    I have checked with the latest version of 7.0, which is 7.0.22, and I can confirm that the cipher is supported.

    regards

    Tracey

This discussion has been closed.