Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: How to disable insecure protocols?
Operating Systems AIX How to disable insecure protocols? Post 302962438 by agent.kgb on Monday 14th of December 2015 04:49:14 PM
Old 12-14-2015
Unfortunately nobody can understand what your security dept requires from you. As for me it seems that they even don't understand what they want. You have to speak with them and make clear:

1. There is no single point in a UNIX operating system, where you can enable or disable a cipher. Every application can implement its own cipher and you have no control over it.

2. There are at least 2 "cipher libraries" - IBM's GSKit and OpenSSL. OpenSSL can be IBM-compiled, Perzl-compiled, Michael Felt-compiled, Bull-compiled, and own-compiled. As far as I remember, Michael Felt also has LibreSSL for AIX, but he knows it better and he is sometimes here. This is the 3rd "cipher library", which can be used.

3. There are some places, even in AIX, which have nothing common with these libraries. E.g. password hashing is implemented using so called Loadable Password Algorithm (LPA) modules. AIX has modules for MD5, SHA1, SHA256, SHA512, Blowfish. If somebody requires some other module, they have to develop it on their own.

4. There is 3rd party software, which has their own cipher modules, and doesn't depend on libraries. The best example is OpenSSH. You can have IBM-compiled OpenSSH, or Michael's compiled OpenSSH. You can also have some other SSH-based servers and clients, e.g. Tectia SSH server. And you're right, when you speak about Java - it has its own SSL implementation.

Just to make it easy - you are not the only one, who receives such stupid requirements from people thinking they are "security professionals" and who've read yesterday for the first time in the lifes about POODLE or some other bug in OpenSSL. Your duty as a professional system administrator is to speak with them and make them clear that their requirements too inaccurate and cannot be implemented without additional information.
 

8 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

network protocols

Which network protocol is used by UNIX systems to make remote file systems appear as if they are local? (2 Replies)
Discussion started by: OLLERTON
2 Replies

2. UNIX for Dummies Questions & Answers

Protocols

What protocol would be the best to use on a network with nt and unix servers and windows me clients? Can SMB protocol be used to implement large networks? What protocol can be used to make remote file systems appear as if they are local? Quite a few questions I know, any help would be... (1 Reply)
Discussion started by: jnash
1 Replies

3. UNIX for Advanced & Expert Users

More command insecure

The more command allows a user to invoke shell. If it is run using the sudo command this will give a user a possibility to run whatever he wants with root's privilegies. Does anybody know about a command with the same abilities that more but without escape to shell? (2 Replies)
Discussion started by: odashe
2 Replies

4. IP Networking

define IP protocols on network

what method would I use to determine which IP protocols network (0 Replies)
Discussion started by: mar mar
0 Replies

5. Cybersecurity

Netfilter conntracking for P2P protocols (edonkey, bittorent...)

Hi everyone, I would like to allow multi users to access P2P networks, so I wonder if there's a way to tracking these kind of protocols with netfilter, and also compatibility with nat, like the module conntrack_ftp seems to do with the FTP protocol. Thanks guys. (0 Replies)
Discussion started by: nekkro-kvlt
0 Replies

6. Shell Programming and Scripting

How to disable Enable/Disable Tab Key

Hi All, I have bash script, so what is sintax script in bash for Enable and Disable Tab Key. Thanks for your help.:( Thanks, Rico (1 Reply)
Discussion started by: carnegiex
1 Replies

7. IP Networking

what are L2,L3 protocols.

hello forum members, What are L2 and L3 Protocols and can u brief me a bit little ie to gain a basic knowledge. Thanks & Regards Rajkumar g (1 Reply)
Discussion started by: rajkumar_g
1 Replies

8. Red Hat

SSL/TLS renegotiation DoS -how to disable? Is it advisable to disable?

Hi all Expertise, I have following issue to solve, SSL / TLS Renegotiation DoS (low) 222.225.12.13 Ease of Exploitation Moderate Port 443/tcp Family Miscellaneous Following is the problem description:------------------ Description The remote service encrypts traffic using TLS / SSL and... (2 Replies)
Discussion started by: manalisharmabe
2 Replies

LEARN ABOUT DEBIAN

ssl_ctx_set_cipher_list

SSL_CTX_set_cipher_list(3SSL)					      OpenSSL					     SSL_CTX_set_cipher_list(3SSL)

NAME

       SSL_CTX_set_cipher_list, SSL_set_cipher_list - choose list of available SSL_CIPHERs

SYNOPSIS

	#include <openssl/ssl.h>

	int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str);
	int SSL_set_cipher_list(SSL *ssl, const char *str);

DESCRIPTION

       SSL_CTX_set_cipher_list() sets the list of available ciphers for ctx using the control string str. The format of the string is described in
       ciphers(1). The list of ciphers is inherited by all ssl objects created from ctx.

       SSL_set_cipher_list() sets the list of ciphers only for ssl.

NOTES

       The control string str should be universally usable and not depend on details of the library configuration (ciphers compiled in). Thus no
       syntax checking takes place. Items that are not recognized, because the corresponding ciphers are not compiled in or because they are
       mistyped, are simply ignored. Failure is only flagged if no ciphers could be collected at all.

       It should be noted, that inclusion of a cipher to be used into the list is a necessary condition. On the client side, the inclusion into
       the list is also sufficient. On the server side, additional restrictions apply. All ciphers have additional requirements. ADH ciphers don't
       need a certificate, but DH-parameters must have been set. All other ciphers need a corresponding certificate and key.

       A RSA cipher can only be chosen, when a RSA certificate is available.  RSA export ciphers with a keylength of 512 bits for the RSA key
       require a temporary 512 bit RSA key, as typically the supplied key has a length of 1024 bit (see SSL_CTX_set_tmp_rsa_callback(3)).  RSA
       ciphers using EDH need a certificate and key and additional DH-parameters (see SSL_CTX_set_tmp_dh_callback(3)).

       A DSA cipher can only be chosen, when a DSA certificate is available.  DSA ciphers always use DH key exchange and therefore need DH-
       parameters (see SSL_CTX_set_tmp_dh_callback(3)).

       When these conditions are not met for any cipher in the list (e.g. a client only supports export RSA ciphers with a asymmetric key length
       of 512 bits and the server is not configured to use temporary RSA keys), the "no shared cipher" (SSL_R_NO_SHARED_CIPHER) error is generated
       and the handshake will fail.

RETURN VALUES

       SSL_CTX_set_cipher_list() and SSL_set_cipher_list() return 1 if any cipher could be selected and 0 on complete failure.

SEE ALSO

       ssl(3), SSL_get_ciphers(3), SSL_CTX_use_certificate(3), SSL_CTX_set_tmp_rsa_callback(3), SSL_CTX_set_tmp_dh_callback(3), ciphers(1)

1.0.1e								    2013-02-11					     SSL_CTX_set_cipher_list(3SSL)
All times are GMT -4. The time now is 12:40 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy