Overview

RC4 cipher has known vulnerabilities and it might be needed to have it disabled.

Disabling Exinda's use of RC4 cipher for HTTPS management of the device requires access to restricted commands. Please contact Exinda Support to obtain a temporary license.

Solution

1. Login to Exinda CLI via SSH using Putty or Terminal.
2. Enter the shell and remount the partitions:
   

       en
       _shell
       remountrw

   
   
   

   Note: you might be prompted for a license key. Enter the license provided by Exinda support.

3. Using Vim editor open /opt/tms/lib/md/templates/httpd.conf file.
4. In the template file change:
   

       @SSLComment@SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

   
   To:
   

       @SSLComment@SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5

   Tip: in Vim editor use i letter (to insert symbols) and :wq (to write changes and quit after editing is done).

5. Open and edit the /var/opt/tms/output/httpd.conf file.
   Change:
   

       SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

   
   To:
   

       SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5

6. Restart httpd
   

       cli
       pm process httpd restart

Testing

To confirm, you can install a Nmap to scan the Exinda to see which ciphers are available:

  nmap --script ssl-cert,ssl-enum-ciphers -p 443 <IP address of exinda>

Check for RC4 in the output, there should be none.