-
Notifications
You must be signed in to change notification settings - Fork 310
Disable weak SSL #102
Comments
Hello. Thanks for reporting this issue. I'm happy to help out here, but can you clarify what target (and port) you are scanning? Is this the Linux agent? |
Hi, this is popping up on port 1270, which I believe is this agent. [centos@hfd-cr-pweb1 ~]$ sudo netstat -tlupn|grep 1270 Thanks, |
@rubeon That's very strange. I would not expect port 1270 to be exposed unless the Operations Manager client was previously installed on this machine. If you edit file |
Also, if you are using Operations Manager and require TCP port 1270, you can control ciphers and SSLv3 behavior in the omiserver.conf file. NoSSLV3 is a Boolean property to toggle SSLv3 support and sslciphersuite= allows you to specify a standard OpenSSL cipher suite list (like you would for Apache's mod_ssl). |
Looks like this gets installed by the diagnostics extension in Azure. If Azure doesn't need this to be listening on port 1270, it should probably be disabled by default. Thanks |
The intent, when Azure installs the diagnostic extension, is that it is NOT listening on port 1270. Thanks for raising this issue, I'll bring it up with the Azure folks. |
I have committed the above fix, although the Azure team has opted to edit omiserver.conf themselves to not expose the port. This problem should be fixed in an upcoming Azure agent release. |
I want to disable DES and 3DES sslCipherSuite in omiserver for port 1270 but it is not happening. I think, I didn't get proper syntax that used in omiserver.conf. Can anyone help me. |
The syntax for |
When I am using, for port no. 1270 in omiserver.conf like as
SSLCipherSuite !DES:!3DES
And restart omiserver then its restart without process ID after that test
for DES and 3DES then through error like this:
Connection Refused
ErrorConnection111
When remove SSLCipherSuite from omiserver.conf then its working.
So please can you tell me, only changes in omiserver.conf file or any other
file ???
Same issue has been resolved for port 443 by changing in ssl.conf file
simply add SSLCipherSuite but in omiserver.conf its not happening.
Thanks
…On 13-Jan-2018 03:01, "Jeff Coffler" ***@***.***> wrote:
The syntax for sslCipherSuite is identical to what the Apache HTTPD Server
<https://httpd.apache.org/docs/2.4/ssl/ssl_howto.html> uses.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#102 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AhvcZe5M-MnPoUia_cRMlI3lwtO8mA__ks5tJ888gaJpZM4Ix4g8>
.
|
Your message isn't clear to me at all, sorry:
Finally, this repository isn't really the proper repository for OMI issues. Please open a new issue (with all questions above clearly addressed) to the OMI repository. That way, all of the OMI developers can chip in. I just happen to monitor the OMS issues, but OMS isn't the project I work on. Thanks for your understanding. |
Hi, guys
Can the SSL configuration for OMS's network traffic be hardened without negatively affecting Azure's infrastructure communications? At the moment, it sets off vulnerability scanners with the following:
Negotiated with the following insecure cipher suites: SSL 3.0 ciphers: TLS_RSA_WITH_IDEA_CBC_SHATLS 1.0 ciphers: TLS_RSA_WITH_IDEA_CBC_SHATLS 1.1 ciphers: TLS_RSA_WITH_IDEA_CBC_SHATLS 1.2 ciphers: TLS_RSA_WITH_IDEA_CBC_SHA
Negotiated with the following insecure cipher suites: SSL 3.0 ciphers: TLS_RSA_WITH_RC4_128_MD5TLS_RSA_WITH_RC4_128_SHATLS 1.0 ciphers: TLS_RSA_WITH_RC4_128_MD5TLS_RSA_WITH_RC4_128_SHA TLS 1.1 ciphers: TLS_RSA_WITH_RC4_128_MD5 TLS_RSA_WITH_RC4_128_SHATLS 1.2 ciphers: TLS_RSA_WITH_RC4_128_MD5TLS_RSA_WITH_RC4_128_SHA
Would bit be possible to follow better security practices and disable weak ciphers?
The text was updated successfully, but these errors were encountered: