New security requirements can require that low-grade encryption ciphers are not accepted from clients when they initiate an SSL request to a webserver.
In releases of ZWS version 4.3 and above, new features have been added to allow the list of acceptable ciphers to be manually specified.
There are three tunables named:
tuning!support_ssl2
tuning!support_ssl3
tuning!support_tls1
... which determine which encryption methods are accepted from clients. Of these, the block ciphers used for SSLv3 and TLSv1 can be tuned with a third parameter:
tuning!ssl3_ciphers
This tunable takes a colon-seperated list of ciphers which can be used. The choice of ciphers can be found by running "$ZEUSHOME/web/bin/zeus.web --ciphers", and the output will appear similar to:
SSL3 Ciphers enabled by default:
SSL_RSA_WITH_RC4_128_SHA
SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_AES_256_CBC_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_AES_128_CBC_SHA
SSL_RSA_EXPORT_WITH_RC4_56_SHA
SSL_RSA_EXPORT_WITH_RC4_56_MD5
SSL_RSA_WITH_DES_CBC_SHA
SSL_RSA_EXPORT_WITH_DES_CBC_SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
Other ciphers (disabled by default):
SSL_RSA_WITH_NULL_SHA
SSL_RSA_WITH_NULL_MD5
... showing that NULL ciphers are already disabled (but can still be explicitly enabled with the "tuning!ssl3_ciphers" tunable). However, a number of ciphers with a key of less than 128 bits in length are still enabled by default. To tune ZWS to only support medium- or high- security ciphers, add the following lines to ZWS' "$ZEUSHOME/web/global.cfg" file:
tuning!support_ssl2 no
tuning!ssl3_ciphers SSL_RSA_WITH_AES_256_CBC_SHA:SSL_RSA_WITH_3DES_EDE_CBC_SHA:SSL_RSA_WITH_RC4_128_
SHA:SSL_RSA_WITH_RC4_128_MD5:SSL_RSA_WITH_AES_128_CBC_SHA
Restart ZWS, and only clients offering medium-security or better ciphers will be accepted.
