Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

OtteK

3 Posts

214564

June 20th, 2007 13:00

Open manage SSL Ciphers

We have Open manage installed on all our servers and I am trying to tighten them down to only use strong encryption.
 
We deal with Credit Cards so are governed by PCI requirements.  When I scan my servers they always tell me that Dell Open manage uses weak encryption and I need to change the ciphers that are allowed.  Their solution is this;
 
SOLUTION: Disable support for LOW encryption ciphers.

Apache
Typically, for Apache/mod_ssl, httpd.conf or ssl.conf should have the following lines:
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

For Apache/apache_ssl include the following line in the configuration file (httpsd.conf):
SSLRequireCipher ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

Tomcat
sslProtocol="SSLv3"
ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,SSL_DHE_RSA_W
ITH_3DES_EDE_CBC_SHA"

 
 
I have tried to find out what web server Open Mange runs without success.  However I have found a file called C:\Program Files\Dell\SysMgt\iws\config\keystore.ini which has the line cipher_suites = in it.  I have tried various ways to enter information here without success.
 
Does anybody know what syntax I should be using for this file or is there another way to only use strong encryption?
 
Thanks
 
Otte

OtteK

3 Posts

June 21st, 2007 13:00

For Information
 
I have found how to fix my problem I mention above;
 
In Open Manage I went to Preferences > General Settings > Web Server
 
In there I changed SSL encryption to be 128-bit or Higher.  This then adds the following line to keystore.ini;
 
cipher_suites=SSL_RSA_WITH_RC4_128_SHA,SSL_RSA_WITH_RC4_128_MD5,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
 
 
Otte

Mihai R

1 Message

November 6th, 2015 15:00

Does anyone have a solution for the Linux install?  

vigster72

1 Message

May 25th, 2016 10:00

Did you find out the linux fix?

Nlinley1

1 Message

July 20th, 2016 19:00

This discussion is a bit old, but I ran into this problem recently with versions 7.x of OMSA having RC4 and SSLv3 enabled.  Installing 8.x will disable these by default.

mihairosu

1 Message

July 21st, 2016 08:00

Actually at that time, it seems that chrome may have relaxed its security requirements and the web GUI worked again just fine without any changes.

Cyberdiver

10 Posts

November 1st, 2017 16:00

Is there an official cipher statement for strong encryption.  I think the cipher strings I see here have both the strong and the weak in them.  I thought to strengthen involved removing the dhe_rsa options in the past. and I think the some of the cbc are the current issues with browsers. 

View More

View All

No Events found!

Top