Overview
RC4 cipher has known vulnerabilities and it might be needed to have it disabled.
Disabling Exinda's use of RC4 cipher for HTTPS management of the device requires access to restricted commands. Please contact Exinda Support to obtain a temporary license.
Solution
- Login to Exinda CLI via SSH using Putty or Terminal.
- Enter the shell and remount the partitions:
en _shell remountrw
Note: you might be prompted for a license key. Enter the license provided by Exinda support.
- Using Vim editor open
/opt/tms/lib/md/templates/httpd.conf
file. - In the template file change:
@SSLComment@SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
To:
@SSLComment@SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5
Tip: in Vim editor use i letter (to insert symbols) and :wq (to write changes and quit after editing is done).
- Open and edit the
/var/opt/tms/output/httpd.conf
file.
Change:
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
To:
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5
- Restart httpd
cli pm process httpd restart
Testing
To confirm, you can install a Nmap to scan the Exinda to see which ciphers are available:
nmap --script ssl-cert,ssl-enum-ciphers -p 443 <IP address of exinda>
Check for RC4 in the output, there should be none.