Skip to main content
Code42 Support

Disable older protocols and cipher suites

Available in:

StandardPremiumEnterprise
Small Business
Applies to:

Overview

This article describes how to disable older Secure Socket Layer (SSL) and Transport Layer Security (TLS) security protocols and cipher suites that are known to possess security vulnerabilities. Blacklisting specific protocols and cipher suites makes your Code42 environment more secure against attacks designed to exploit these vulnerabilities.

Background

SSL, and its successor TLS, are protocols used to secure data transfer between clients and servers by means of encryption and authentication. These protocols use cipher suites to provide encryption for secure connection and data transport.

However, even if you are using TLS, you still must be careful to use only secure cipher suites. Older cipher suites may allow attacks of data in transit. You can issue commands in the Code42 command line interface (CLI) to disable not only specific protocols but also specific cipher suites.

Considerations

To utilize the approved protocols and cipher suites in your Code42 environment, we recommend you stay up-to-date on our Code42 software versions. The default exclusions of protocols and cipher suites in Code42 software provide you adequate security. However, you can disable additional older protocols and cipher suites to strengthen security as needed. Be advised that Code42 may add additional exclusions in future versions that may differ from what you set.

Protocols

By default, protocols SSL 3.0 and SSL 2.0 are disabled, depending on your specific version of Code42 software. Use the prop.show c42.https.exclude.protocolscommand to see the disabled protocols.

To make your Code42 environment more secure, consider disabling the following protocols:

  • SSL 2.0
  • SSL 3.0
  • TLS 1.0
  • TLS 1.1

Cipher suites

By default, a large set of cipher suites are disabled in Code42 software. Use the prop.show c42.https.exclude.cipherscommand to see the disabled cipher suites.

To make your Code42 environment more secure, consider disabling the following cipher suites:

  • MD5
  • SHA1
  • Null, export grade, or otherwise weak ciphers (weaker than AES-128)

Before you begin

We recommend you run an analysis against a web site you deem to be secure to find out the protocols and cipher suites that it uses. This may help you determine the protocols and cipher suites to allow or to exclude in your Code42 environment.

There are numerous tools you can use to list the SSL and TLS cipher suites a particular web site offers. SSL Labs provides such a tool. After you perform steps in the following sections to disable specific protocols and cipher suites in your Code42 environment, you can use this same kind of analysis to verify that your Code42 environment uses only those protocols and cipher suites that you specified.

Step 1: Disable protocols

  1. Sign in to the administration console.

  2. Double-click the logo in the upper-left corner of the administration console.
    The command-line interface appears in the administration console.
  3. To verify the current protocols exclusion setting in your Code42 environment, enter the following prop.show command:

prop.show c42.https.exclude.protocols

The default list of excluded ciphers are shown, for example:

c42.https.exclude.protocols SSLv3,SSLv2 
  1. To set the list of protocols to exclude, enter the followingprop.setcommand:

prop.set c42.https.exclude.protocols "<protocols>" save all

Replace <protocols> with a comma-separated list of protocols that you no longer want to allow for communication with the Code42 environment, for example:

prop.set c42.https.exclude.protocols "SSLv2,SSLv3,TLSv1,TLSv1.1" save all

  1. To verify the new protocols settings in your Code42 environment, enter the prop.show c42.https.exclude.protocols command.
  1. (Optional) To verify that the protocol exclusion works as expected, run an analysis on your Code42 environment of the protocols and cipher suites in use.

Step 2: Disable cipher suites

  1. In the administration console, double-click the logo in the upper-left corner.
    The command-line interface appears in the administration console.
  2. To verify the current cipher suites exclusion setting in your Code42 environment, enter the following prop.show command:

prop.show c42.https.exclude.ciphers

The default list of excluded ciphers are shown, for example:

c42.https.exclude.ciphers SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_ECDH_ECDSA_WITH_RC4_128_SHA,TLS_ECDH_RSA_WITH_RC4_128_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSV 

We recommend you copy this default list of excluded ciphers so you can add to it when you create your new exclusion list.

  1. To set the list of ciphers to exclude, enter the followingprop.setcommand:

prop.set c42.https.exclude.ciphers "<cipher suites>" save all

Replace <cipher suites> with a comma-separated list of cipher suites that you no longer want to allow for communication encryption within the Code42 environment. We recommend you start with the default set of ciphers obtained in the previous set and then add to additional ciphers to it.

  1. To verify the new cipher settings in your Code42 environment, enter the prop.show c42.https.exclude.ciphers command.
  1. Verify that the cipher exclusion works as expected by running an analysis on your Code42 server of the protocols and cipher suites in use.

Example cipher exclusion list

Following is the default list of cipher suites that are disabled in a Code42 environment:

SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_RC4_128_SHA
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
TLS_ECDHE_RSA_WITH_RC4_128_SHA
TLS_ECDH_ECDSA_WITH_RC4_128_SHA
TLS_ECDH_RSA_WITH_RC4_128_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
TLS_EMPTY_RENEGOTIATION_INFO_SCSV
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
  • Was this article helpful?