Jump to content


Photo

SSL/TLS MAC increase

ssl tls mac sha256 sha1

  • Please log in to reply
2 replies to this topic

#1 sean farrell

sean farrell
  • Members
  • 25 posts

Posted 17 November 2014 - 12:15 PM

Hello Cudatellers,

 

This is an enchancement request to improve the message authentication cipher for SSL/TLS certificates that are installed on the Cudatel.

 

Currently, my MAC is a weak sha1.

 

Take a look at this handy cipher generator.

 

http://geoff.greer.fm/ciphersuite/

 

Thanks for the consideration!

 

Best,

Sean



#2 Shem Sargent

Shem Sargent
  • Members
  • 47 posts
  • LocationMedford, Oregon, USA

Posted 20 November 2014 - 05:40 PM

Hi Sean,

 

Since the POODLE fiasco last month, I have been using https://www.ssllabs.com/ssltest/analyze.html (also linked at the bottom of the page you linked to in the OP) to check my sites including my Cudatel. I went through a couple of firmware updates to try to mitigate the issue. I am currently at 3.0.004.015. This version still did not completely disable SSL 2.0 and 3.0. I submitted a support request and they manually changed the settings on my system to turn those ciphers off completely. I now have the following ciphers on my Cudatel as reported by SSL Labs:

 

TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
 
The support engineer stated that they expect to upgrade the Apache server used internally in the Cudatel firmware to a newer version that will enable support for Forward Secrecy.
 
I'm not sure if this covers your issue, but you may be able to get what you need from support without waiting for a feature enhancement.
 
Shem
 
Update: I noticed elsewhere in the forums that 3.0.004.016 apparently disables SSL 2.0/3.0.


#3 sean farrell

sean farrell
  • Members
  • 25 posts

Posted 24 November 2014 - 07:08 PM

Hi Shem,

 

Yes, I'm looking forward to FS in the near future and better cipher arrangements.

 

Thanks,

Sean