Connectrix, San Navigator: TLS or SSL Weak Message Authentication Code Cipher Suites

Below is the list of weak ciphers detected in the scan report:

• TLS_DHE_RSA_WITH_AES_256_CBC_SHA
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

The nginx_ssl_conf_sr file is identified as related to weak ciphers.

Steps to replace the weak ciphers:

1. Stop the SANnav services using stop-sannav.sh script (/storage/SANnav/Portal_2.3.0_bld315/stop-sannav.sh)
2. Copy the nginx_ssl_conf_sr file (/storage/SANnav/Portal_2.3.0_bld315/conf/nginx/nginx_ssl_conf_sr) into outside of the SANnav home and keep as a backup.
3. Remove the indicated ciphers below from the nginx_ssl_conf_sr file (/storage/SANnav/Portal_2.3.0_bld315/conf/nginx/nginx_ssl_conf_sr) and save the file.

ssl_ciphers 'TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:!DSS';

4. Start the SANnav services using start-sannav.sh script. (/storage/SANnav/Portal_2.3.0_bld315/start-sannav.sh)
5. Wait for 15-20 minutes to make services up.
6. Run the scanner again and check whether any weak ciphers are still reported.
7. If reported, collect supportsave logs and SAN navigator logs, and engage Broadcom for further investigations.