How can I disable TLS_RSA_WITH_AES_128_CBC_SHA without disabling others as well?

1
votes

I'm trying to narrow down the allowed SSL ciphers for a java application. In the java.security file, I am using:

jdk.tls.disabledAlgorithms=SSLv2Hello, SSLv3, TLSv1, TLSv1.1, 3DES_EDE_CBC, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256

Which produces the following allowed ciphers:

Will-Adams-MacBook-Air:~ Looker$ nmap -script ssl-enum-ciphers -p 9999 <AWS INSTANCE>.compute.amazonaws.com
Starting Nmap 7.70 ( https://nmap.org ) at 2018-09-06 14:23 PDT
Nmap scan report for <AWS INSTANCE>.compute.amazonaws.com
Host is up (0.079s latency).

PORT     STATE SERVICE
9999/tcp open  abyss
| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 1024) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 1024) - A
|     compressors:
|       NULL
|     cipher preference: client
|     warnings:
|       Weak certificate signature: SHA1
|_  least strength: A

Nmap done: 1 IP address (1 host up) scanned in 3.39 seconds

Great! I'm almost there. I want to also disallow TLS_RSA_WITH_AES_128_CBC_SHA but adding it to the jdk.tls.disabledAlgorithms disables everything:

Will-Adams-MacBook-Air:~ Looker$ nmap -script ssl-enum-ciphers -p 9999 <AWS INSTANCE>.compute.amazonaws.com
Starting Nmap 7.70 ( https://nmap.org ) at 2018-09-06 14:28 PDT
Nmap scan report for <AWS INSTANCE>.compute.amazonaws.com 
Host is up (0.079s latency).

PORT     STATE SERVICE
9999/tcp open  abyss

Nmap done: 1 IP address (1 host up) scanned in 0.85 seconds

Why is this? Is there a way for me to disable TLS_RSA_WITH_AES_128_CBC_SHA without also disabling TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, and TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384?

3
javasslencryption

3 Answers

1
votes

Starting from java 1.8.0_141 just adding SHA1 jdkCA & usage TLSServer to jdk.certpath.disabledAlgorithms should work.

jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224, SHA1 jdkCA & usage TLSServer

Alternatively, just adding SHA1 to jdk.tls.disabledAlgorithms should also work

jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, RSA keySize < 4096

You did not specified your JVM version, so let me know it this works for you please.

1
votes

Works for me to delete only that specific suite (as you wish) in Oracle 8u131 on Windows -- I don't have Mac, but JSSE is pure Java and should be the same on all platforms. SHA1 or HmacSHA1 to delete all Hmac-SHA1 suites also works for me. I think, but can't easily check, that lone SHA1 in jdk.tls.disabled will also affect signatures and certs, which may not be desirable; certs are probably better handled by jdk.certpath.disabled instead.

The properties-file format is more complicated than it looks, and sometimes fragile. Make sure your edits are exactly as you posted -- especially no missing, added, or moved comma(s), no backslash or quotes, and no invisible characters like bidi or nbsp. You can put the line(s) you want to change in a separate file designated by sysprop jdk.security.properties (which can be set with -D on the commandline, unlike the other properties in java.security), to make it easier to edit and examine exactly.

Those said, if you (or someone) thinks this is increasing security, you're heading in the wrong direction. Though your nmap doesn't show it, removing RC4 from the jdk.tls.disabled value should enable RC4 suites and does on my system(s), and that's much more dangerous than any AES128 or HmacSHA1 suite ever. RSA-1024 is maybe billions of times worse, and so is DH-1024 (especially hardcoded/shared DH-1024 as JSSE uses) if you can find any client that doesn't prefer ECDHE (where P-256 is okay -- unless you are a tinfoil-hatter in which case it is even worse). And as nmap told you, a cert signed with SHA1 is awful -- unless it is your root or anchor (so the signature doesn't actually matter for security), or at least a totally private CA that will always and forever only accept requests from people thoroughly known to be good and competent and never make mistakes.

0
votes

Just add cipher suites to jdk.tls.disabledAlgorithms to disable it. Like

jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH, DHE, \
EC keySize < 224, 3DES_EDE_CBC, anon, NULL, RSA keySize < 512, DESede, TLSv1, TLSv1.1, TLS_RSA_WITH_AES_128_CBC_SHA