SSL Cipher String is not updated dynamically

Think you've found a bug? Post a description here.

Moderator: Serin

Post Reply
GrantConsultingGroup
User
Posts: 26
Joined: Thu Dec 01, 2016 7:58 pm

SSL Cipher String is not updated dynamically

Post by GrantConsultingGroup » Tue May 30, 2017 2:32 pm

Inside of the Cerberus SFTP application under "Advanced Security Options" - We noticed that even if we enable (checked box) or disable (empty box) the SSL Cipher String is not updated dynamically. The string of text is changed only if you adjust settings through the Security Profiles: drop down box. This leads to options set or advertised in SSL Cipher String not displaying correct options when compared against current option selection.

This also means that when you click the Test button on the same page you are not testing against current security\cipher settings as the list is not updated as expected leading to inaccurate and wrong Cipher Suite Name and Bits information being displayed to the user and to the clients.

GrantConsultingGroup
User
Posts: 26
Joined: Thu Dec 01, 2016 7:58 pm

Re: SSL Cipher String is not updated dynamically

Post by GrantConsultingGroup » Tue May 30, 2017 2:40 pm

SSL configuration not being updated or displayed properly also means a user could possible misconfigure the Cerberus application and cause it not to start up properly after the service is stopped and restarted as test and other settings are not updated or displayed correctly. This would lead to startup issue and error message being displayed (see below)

This issue could also lead to errors such as "unable to connect: SSL_Error_SSL error:14094438:SSL routine:ssl_read_bytes:tlsv1 alert internal error - SSSL_connect error in tcp_connect

GrantConsultingGroup
User
Posts: 26
Joined: Thu Dec 01, 2016 7:58 pm

Re: SSL Cipher String is not updated dynamically

Post by GrantConsultingGroup » Tue May 30, 2017 3:05 pm

We have a few follow up questions to our original post:

When selecting "perfect forward secrecy, favor GCM, no RC$, no MD5, 256-bt min" setting why does application show RC4 enabled and disabled in the SSL cipher String dialog box?

"EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!AES128:!SEED:!CAMELLIA128"

Why is default setting leaving "sha1" enabled in "SSH2 key Exchange Protocol List" and "SSH HMAC List" as SHA1 even though is has been proven to be vulnerable to attack?

GrantConsultingGroup
User
Posts: 26
Joined: Thu Dec 01, 2016 7:58 pm

Re: SSL Cipher String is not updated dynamically

Post by GrantConsultingGroup » Tue May 30, 2017 4:02 pm

What I also discovered is that the options configured or selected do not have any effect on the SSL Cipher String and can cause Cerberus SFTP application issues as the security configuration of the application is not accurately reflected in the SSL Cipher string which leads to a problem where the application is configured to only support certain cipher’s but the SSL Cipher String lists ciphers that are not being used or allowed by the application.

Instead the SSL Cipher String and TEST button under Advanced Security Options appears to show and affect the Cerberus SFTP Application (Client side) level of SSL security and what type of SSL\TLS encryption will be supported on the Client side of the application when Cerberus initiates a connection to another machine and negotiate SSL\TLS. It appears that while these settings are set via the drop down and buttons located at the bottom of the screen all other options are not linked to these settings and only affect the server side of the Cerberus application and the strength of the SSL\TLS encryption used on connections that are being received (server side) by the system.

As a result, I found that the test button does not reflect the overall Security configuration of the CERBERUS SFTP application or what
Furthermore, SMTP email relay only breaks when the following text is included “:AES128”

User avatar
Serin
Site Administrator
Posts: 1785
Joined: Sat Jan 01, 2005 6:57 pm
Location: United States
Contact:

Re: SSL Cipher String is not updated dynamically

Post by Serin » Thu Jun 08, 2017 2:52 pm

Hello,

We've addresses most of these points with you offline in your separate support request, but there are no unexpected issues here.

Regarding updating the SSL Cipher String and the SSH check boxes, you appear to be confusing SSH and SSL. They are completely separate and different protocols.

Modifying the SSL cipher string does not change SSH cipher settings, and modifying SSH cipher settings will not change the SSL cipher string. This is by design.

The SSL cipher string controls both outgoing SSL connections (what you are referring to as client side), and incoming connections (server side).

The Security Profiles option is just a snapshot configuration that will change the SSL cipher string and SSH ciphers and other protocol options to match the options associated with that profile. Further modifications to either the SSL cipher string or SSH ciphers will not change the Security Profiles combo box selection. The Security Profiles are just pre-canned profiles that get applied when they are selected. They do not remain linked with your settings.

As a result, I found that the test button does not reflect the overall Security configuration of the CERBERUS SFTP application or what
Furthermore, SMTP email relay only breaks when the following text is included “:AES128”

Your specific issue is related to the Microsoft Office 365 SMTP relay when you select Perfect Forward Secrecy (PFS), 256-bit only encryption. This issue is not with Cerberus, but with the limited ciphers Microsoft supports. When you select the Perfect Forward Secrecy profile, Cerberus purposely limits the cipher suites available to those supporting Perfect Forward Secrecy at the 256 level. Microsoft supports none of those 256-bit PFS cipher suites. They do support 256-bit cipher suites that don't support PFS. We've added a simpler, 256 bit profile in 8.0.12 to account for these edge cases.

When selecting "perfect forward secrecy, favor GCM, no RC$, no MD5, 256-bit min" setting why does application show RC4 enabled and disabled in the SSL cipher String dialog box?

"EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!AES128:!SEED:!CAMELLIA128"

You're right. RC4 should not be in there, but it has no practical effect because !RC4 is also in there, and the !RC4 takes precedence. We've removed the RC4 string in the latest 8.0.12 build.

Why is default setting leaving "sha1" enabled in "SSH2 key Exchange Protocol List" and "SSH HMAC List" as SHA1 even though is has been proven to be vulnerable to attack?

SHA1 and HMAC-SHA1 are not the same, and HMAC-SHA1 has not been demonstrated to be vulnerable to collision attacks at this time. HMAC-SHA1 has been left enabled because all clients support it. Many SSH SFTP clients still do not support HMAC-SHA256, although if you don't have compatibility issues with older clients then by all means disable HMAC-SHA1. We do recommend moving away from HMAC-SHA1, but there is no demonstrated vulnerability in that algorithm at this time (event though it does make use of SHA1).

Inside of the Cerberus SFTP application under "Advanced Security Options" - We noticed that even if we enable (checked box) or disable (empty box) the SSL Cipher String is not updated dynamically. The string of text is changed only if you adjust settings through the Security Profiles: drop down box. This leads to options set or advertised in SSL Cipher String not displaying correct options when compared against current option selection.

I believe you're confusing SSH and SSL settings, and you are misunderstanding how the Security Profiles combo box works. Please see our earlier explanation, or the online help, for further information. The only change we might make is to make the Security Profiles box automatically switch to "Custom" anytime you change any Security settings so there is no confusion.

GrantConsultingGroup
User
Posts: 26
Joined: Thu Dec 01, 2016 7:58 pm

Re: SSL Cipher String is not updated dynamically

Post by GrantConsultingGroup » Tue Jul 18, 2017 3:03 am

Thank you for your reply and for the team's pointing out my misunderstanding and for the adjustments to the application

Post Reply