12-14-2015
Unfortunately nobody can understand what your security dept requires from you. As for me it seems that they even don't understand what they want. You have to speak with them and make clear:
1. There is no single point in a UNIX operating system, where you can enable or disable a cipher. Every application can implement its own cipher and you have no control over it.
2. There are at least 2 "cipher libraries" - IBM's GSKit and OpenSSL. OpenSSL can be IBM-compiled, Perzl-compiled, Michael Felt-compiled, Bull-compiled, and own-compiled. As far as I remember, Michael Felt also has LibreSSL for AIX, but he knows it better and he is sometimes here. This is the 3rd "cipher library", which can be used.
3. There are some places, even in AIX, which have nothing common with these libraries. E.g. password hashing is implemented using so called Loadable Password Algorithm (LPA) modules. AIX has modules for MD5, SHA1, SHA256, SHA512, Blowfish. If somebody requires some other module, they have to develop it on their own.
4. There is 3rd party software, which has their own cipher modules, and doesn't depend on libraries. The best example is OpenSSH. You can have IBM-compiled OpenSSH, or Michael's compiled OpenSSH. You can also have some other SSH-based servers and clients, e.g. Tectia SSH server. And you're right, when you speak about Java - it has its own SSL implementation.
Just to make it easy - you are not the only one, who receives such stupid requirements from people thinking they are "security professionals" and who've read yesterday for the first time in the lifes about POODLE or some other bug in OpenSSL. Your duty as a professional system administrator is to speak with them and make them clear that their requirements too inaccurate and cannot be implemented without additional information.
8 More Discussions You Might Find Interesting
1. UNIX for Dummies Questions & Answers
Which network protocol is used by UNIX systems to make remote file systems appear as if they are local? (2 Replies)
Discussion started by: OLLERTON
2 Replies
2. UNIX for Dummies Questions & Answers
What protocol would be the best to use on a network with nt and unix servers and windows me clients?
Can SMB protocol be used to implement large networks?
What protocol can be used to make remote file systems appear as if they are local?
Quite a few questions I know, any help would be... (1 Reply)
Discussion started by: jnash
1 Replies
3. UNIX for Advanced & Expert Users
The more command allows a user to invoke shell. If it is run using the sudo command this will give a user a possibility to run whatever he wants with root's privilegies.
Does anybody know about a command with the same abilities that more but without escape to shell? (2 Replies)
Discussion started by: odashe
2 Replies
4. IP Networking
what method would I use to determine which IP protocols network (0 Replies)
Discussion started by: mar mar
0 Replies
5. Cybersecurity
Hi everyone, I would like to allow multi users to access P2P networks, so I wonder if there's a way to tracking these kind of protocols with netfilter, and also compatibility with nat, like the module conntrack_ftp seems to do with the FTP protocol.
Thanks guys. (0 Replies)
Discussion started by: nekkro-kvlt
0 Replies
6. Shell Programming and Scripting
Hi All,
I have bash script, so what is sintax script in bash for Enable and Disable Tab Key. Thanks for your help.:(
Thanks,
Rico (1 Reply)
Discussion started by: carnegiex
1 Replies
7. IP Networking
hello forum members,
What are L2 and L3 Protocols and can u brief me a bit little ie to gain a
basic knowledge.
Thanks & Regards
Rajkumar g (1 Reply)
Discussion started by: rajkumar_g
1 Replies
8. Red Hat
Hi all Expertise,
I have following issue to solve,
SSL / TLS Renegotiation DoS (low) 222.225.12.13
Ease of Exploitation Moderate
Port 443/tcp
Family Miscellaneous
Following is the problem description:------------------
Description The remote service encrypts traffic using TLS / SSL and... (2 Replies)
Discussion started by: manalisharmabe
2 Replies
LEARN ABOUT DEBIAN
ssl_ctx_set_cipher_list
SSL_CTX_set_cipher_list(3SSL) OpenSSL SSL_CTX_set_cipher_list(3SSL)
NAME
SSL_CTX_set_cipher_list, SSL_set_cipher_list - choose list of available SSL_CIPHERs
SYNOPSIS
#include <openssl/ssl.h>
int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str);
int SSL_set_cipher_list(SSL *ssl, const char *str);
DESCRIPTION
SSL_CTX_set_cipher_list() sets the list of available ciphers for ctx using the control string str. The format of the string is described in
ciphers(1). The list of ciphers is inherited by all ssl objects created from ctx.
SSL_set_cipher_list() sets the list of ciphers only for ssl.
NOTES
The control string str should be universally usable and not depend on details of the library configuration (ciphers compiled in). Thus no
syntax checking takes place. Items that are not recognized, because the corresponding ciphers are not compiled in or because they are
mistyped, are simply ignored. Failure is only flagged if no ciphers could be collected at all.
It should be noted, that inclusion of a cipher to be used into the list is a necessary condition. On the client side, the inclusion into
the list is also sufficient. On the server side, additional restrictions apply. All ciphers have additional requirements. ADH ciphers don't
need a certificate, but DH-parameters must have been set. All other ciphers need a corresponding certificate and key.
A RSA cipher can only be chosen, when a RSA certificate is available. RSA export ciphers with a keylength of 512 bits for the RSA key
require a temporary 512 bit RSA key, as typically the supplied key has a length of 1024 bit (see SSL_CTX_set_tmp_rsa_callback(3)). RSA
ciphers using EDH need a certificate and key and additional DH-parameters (see SSL_CTX_set_tmp_dh_callback(3)).
A DSA cipher can only be chosen, when a DSA certificate is available. DSA ciphers always use DH key exchange and therefore need DH-
parameters (see SSL_CTX_set_tmp_dh_callback(3)).
When these conditions are not met for any cipher in the list (e.g. a client only supports export RSA ciphers with a asymmetric key length
of 512 bits and the server is not configured to use temporary RSA keys), the "no shared cipher" (SSL_R_NO_SHARED_CIPHER) error is generated
and the handshake will fail.
RETURN VALUES
SSL_CTX_set_cipher_list() and SSL_set_cipher_list() return 1 if any cipher could be selected and 0 on complete failure.
SEE ALSO
ssl(3), SSL_get_ciphers(3), SSL_CTX_use_certificate(3), SSL_CTX_set_tmp_rsa_callback(3), SSL_CTX_set_tmp_dh_callback(3), ciphers(1)
1.0.1e 2013-02-11 SSL_CTX_set_cipher_list(3SSL)