8 Krypton

Weak OpenSSL ciphers on proxy clients?

Has anyone ever tried to disable the weak ciphers in OpenSSL on an Avamar proxy? I have version 7.5.1-101, and the Company wants cipher suites with RC4 and 3DES and CBC somehow disallowed. Will a proxy client still work with these disabled? I fI break a proxy by tinkering, I can always delete/redeploy a new one, so I think I can experiment all I want. I just have been Google-ing it to death for a long time, and have yet to find something that seems to work.

Any ideas?

1 Reply
1 Copper

Re: Weak OpenSSL ciphers on proxy clients?

Yeah I had to figure it out on my own, couldn't find this mentioned specifically anywhere via an exhaustive Google search, or in the Avamar hardening documentation either, which is strange.

Synopsis:  This will only disable ciphers on the Java/Jetty webserver that runs on port 443.  If you've never used vim before, I'd suggest reading up on that, it's not at all very intuitive if you've never used it before.

Use a text editor like vim to edit $JAVA_HOME/lib/security/java.security.  Except, the $JAVA_HOME variable isn't defined on these proxy VMs, nice.  It also depends what version of the JRE you're running, so I did a search (find / -name java.security) and found it in /usr/java/jre1.8.0_112/lib/security/java.security in my case.

Inside of this config file, you'll find a line "jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768".  In my case, I just wanted to disable TLS v1.0, so I added that:  jdk.tls.disabledAlgorithms=SSLv3, TLSv1, RC4, MD5withRSA, DH keySize < 768

After saving the changes, reboot your proxy VM and aforementioned ciphers should be disabled on HTTPS/443.