Knowledgebase
New SSL Accepted Versions and Cipher Strength in 2X Remote Application Server v14
Posted by Christopher Flores on 01 April 2015 07:53 AM

Overview

v14 of 2X Remote Application Server introduced the ability to enforce and use specific versions of SSL as well as allowing the custom configuration of the Cipher Strength used. This article will cover how to configure the cipher strength used when a Gateway SSL or Direct SSL connection from a 2X Client is established against a 2X Secure Client Gateway.

Versions Effected

2X Remote Application Server v14.0+

Description

All configuration is poresent in the 2X Secure Client Gateway Properties and may be found under the SSL/TLS tab:

In v14, the following Accepted SSL Versions are available:

  • TLS v1.2 Only (Strong)
  • TLS v1.1 - TLS v1.2
  • TLS v1 - TLS v1.2
  • SSL v3 - TLS v1.2
  • SSL v2 - TLS v1.2 (Weak)

These options were made available to allow the administrator to choose which version is preferred and also to be protected against vulnerabilities discovered in older versions of SSL. One such vulnerability was the heartbleed vulnerability.

One additional inclusion was the possibility of configuring Ciphers Strength. All options available are based on OpenSSL standards as documented here. As per the OpenSSL documentation, the cipher strength options provided within 2X RemoteApplicationServer are as follows:

  • Low - "low" encryption cipher suites, currently those using 64 or 56 bit encryption algorithms but excluding export cipher suites.
  • Medium - "medium" encryption cipher suites, currently some of those using 128 bit encryption.
  • High - "high" encryption cipher suites. This currently means those with key lengths larger than 128 bits, and some cipher suites with 128-bit keys.

An additional configurable part is that of inputting a Custom Cipher String which allows the Administrator to specify a specific Cipher String for added security outlining specific Cipher Strings as per his requirements.

In order to view the string configured (between Low, Medium and High) as well as confirming whether a custom Cipher String is in effect, a simple check from the Information Pane > Site Information tab should show the current configuration:

A Cipher String can be constructed by concatenating different Cipher parameters from the list available here. For example, the following Cipher: !SSLv2:ALL:!DH:!ADH:!EDH:!MD5:!EXPORT:@SPEED has the following parameters defined:

Parameter Definition
!SSLv2 Do not use SSL version 2
ALL Use all SSL ciphers in the default SSL stack
!DH Do not use DH ciphers
!ADH Do not use ADH ciphers
!EDH Do not use EDH ciphers
!MD5 Do not use MD5 ciphers
!EXPORT Do not use EXPORT grade (weak) ciphers
@SPEED Order the cipher preference by speed

Notes:

  • All documentation regarding Ciphers and their possible configurations may be found available here: https://www.openssl.org/docs/apps/ciphers.html
  • As of v14.1, the pre-defined Ciphers will also be visible in the 2X Secure Client Gateway Properties
(1 vote(s))
Helpful
Not helpful

Comments (0)
Post a new comment
 
 
Full Name:
Email:
Comments: