Overview
To disable the Exinda's use of RC4 cipher for HTTPS management of the device, please contact Exinda Support. This process requires access to restricted commands.Internal Notes
RC4 cipher has known vulnerabilities and some customers would prefer to have it disabled. Here are the instructions:Enter shell, run:
remountrw
Then edit the following files:
/opt/tms/lib/md/templates/httpd.conf
/var/opt/tms/output/httpd.conf
In the template file change:
@SSLComment@SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
To:
@SSLComment@SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5
In the output file, change:
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
To:
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5
Then restart httpd from cli - pm process httpd restart.
To confirm, you can install an nmap binary on Windows to scan the Exinda to see what ciphers are available:
nmap --script ssl-cert,ssl-enum-ciphers -p 443 <address of exinda>
Check for RC4 in the output, there should be none.