Issue
Users may need to adjust the list of SSL/TLS ciphers in use for NMC web access on the NMC, to comply with local security policies, changes in browser compatibility, or to reflect ever-changing best practices.

Product Line
Network Management Card 2 – AP9630/CH, AP9631/CH, AP9635/CH
Devices with an embedded Network Management Card 2 include (but are not limited to): 2G Metered/Switched Rack PDUs (AP84XX, AP86XX, AP88XX, AP89XX), Rack Automatic Transfer Switches (AP44XX), Certain Audio/Video Network Management Enabled products, Smart-UPS Online (SRT).

Environment
AOS versions 6.6.4 onwards.

Resolution

Via the NMC command line:

Issue the “cipher” command to show the current enabled set, or “cipher help” for usage notes.
eg;

apc>cipher help
Usage: cipher --  Configuration Options
    Note: The minimal protocol setting is not considered when showing
           the available ciphers.

    cipher [-aes (enable | disable)] (AES)
           [-dh (enable | disable)] (DH)
           [-rsake (enable | disable)] (RSA Key Exchange)
           [-rsaau (enable | disable)] (RSA Authentication)
           [-sha1 (enable | disable)] (SHA)
           [-sha2 (enable | disable)] (SHA256)
           [-ecdhe (enable | disable)] (ECDHE)

Note:
Prior to 6.8.0, each option (eg -rc4) toggled the current state; these are now explicitly deterministic.
Reboot to commit changes.

Example:
List current settings, showing that all available are enabled (as default):

>cipher
E000: Success
Key Exchange Algorithms
-----------------------

        DH                   enabled
        RSA Key Exchange     enabled

Authentication Algorithms
-------------------------
(Warning: disabling the only algorithm in category
          will block all SSL/TLS sessions)

        RSA Authentication   enabled

Block Cipher Algorithms
-----------------------

        triple-DES           enabled
        RC4                  enabled
        AES                  enabled

MAC Algorithms
--------------

        MD5                  enabled
        SHA                  enabled
        SHA256               enabled

[...]
Disable RC4 cipher and RSA key-exchange:

>cipher -rc4 disable
E002: Success

>cipher -rsake disable
E002: Success

List new settings, confirming expected changes:

>cipher
E000: Success
Key Exchange Algorithms
-----------------------

        DH                   enabled
        RSA Key Exchange     disabled

Authentication Algorithms
-------------------------
(Warning: disabling the only algorithm in category
          will block all SSL/TLS sessions)

        RSA Authentication   enabled

Block Cipher Algorithms
-----------------------

        triple-DES           enabled
        RC4                  disabled
        AES                  enabled

MAC Algorithms
--------------

        MD5                  enabled
        SHA                  enabled
        SHA256               enabled

[...]

Using INI files (eg, for mass configuration):

[CryptographicAlgorithms]
;Warning: Changing these values can affect system access.
TripleDES=enabled
RC4=disabled
AES=enabled
DH=enabled
RSA_KE=disabled
RSA_Auth=enabled
MD5=enabled
SHA=enabled
SHA256=enabled

Using the web interface:

These settings are not yet exposed via the web UI.

Troubleshooting:

Be aware that disabling ciphers may affect browser compatibility; SSL/TLS will be unusable to the user unless their browser and the NMC have at least one cipher suite in common. Browser errors such as "ssl_error_no_cypher_overlap" or "err_ssl_version_or_cipher_mismatch" would indicate such an incompatibility.

Gepubliceerd voor: Schneider Electric Netherlands