Disabling low-grade encryption in ZWS 4.3 and above

New security requirements can require that low-grade encryption ciphers are not accepted from clients when they initiate an SSL request to a webserver.

In releases of ZWS version 4.3 and above, new features have been added to allow the list of acceptable ciphers to be manually specified.

There are three tunables named:

tuning!support_ssl2
tuning!support_ssl3
tuning!support_tls1


... which determine which encryption methods are accepted from clients. Of these, the block ciphers used for SSLv3 and TLSv1 can be tuned with a third parameter:

tuning!ssl3_ciphers


This tunable takes a colon-seperated list of ciphers which can be used. The choice of ciphers can be found by running "$ZEUSHOME/web/bin/zeus.web --ciphers", and the output will appear similar to:

SSL3 Ciphers enabled by default:
   SSL_RSA_WITH_RC4_128_SHA
   SSL_RSA_WITH_RC4_128_MD5
   SSL_RSA_WITH_AES_256_CBC_SHA
   SSL_RSA_WITH_3DES_EDE_CBC_SHA
   SSL_RSA_WITH_AES_128_CBC_SHA
   SSL_RSA_EXPORT_WITH_RC4_56_SHA
   SSL_RSA_EXPORT_WITH_RC4_56_MD5
   SSL_RSA_WITH_DES_CBC_SHA
   SSL_RSA_EXPORT_WITH_DES_CBC_SHA
   SSL_RSA_EXPORT_WITH_RC4_40_MD5
   SSL_RSA_EXPORT_WITH_DES40_CBC_SHA

Other ciphers (disabled by default):
   SSL_RSA_WITH_NULL_SHA
   SSL_RSA_WITH_NULL_MD5

... showing that NULL ciphers are already disabled (but can still be explicitly enabled with the "tuning!ssl3_ciphers" tunable). However, a number of ciphers with a key of less than 128 bits in length are still enabled by default. To tune ZWS to only support medium- or high- security ciphers, add the following lines to ZWS' "$ZEUSHOME/web/global.cfg" file:

tuning!support_ssl2 no
tuning!ssl3_ciphers SSL_RSA_WITH_AES_256_CBC_SHA:SSL_RSA_WITH_3DES_EDE_CBC_SHA:SSL_RSA_WITH_RC4_128_
SHA:SSL_RSA_WITH_RC4_128_MD5:SSL_RSA_WITH_AES_128_CBC_SHA

Restart ZWS, and only clients offering medium-security or better ciphers will be accepted.

Content Manager [Administrator] 14 June 2004