With the exposure of OpenSSL Heartbleed, penetration testing on the servers is more common. To some scanning software, Intermapper appears be vulnerable to certain OpenSSL attacks. This document describes the upgrade of OpenSSL support in Intermapper 5.8.2 or later to address vulnerabilities in SSL-based services.
Note: If you make changes to the ssl.conf file, be sure to restart the Intermapper and Intermapper DataCenter services.
Intermapper 5.8.2 uses OpenSSL (v1.0.1j). Because the OpenSSL library is statically linked, introducing newer OpenSSL shared libraries through operating system upgrades does not remediate vulnerabilities. A new version of Intermapper is required.
Intermapper contains three SSL-based servers:
Versions prior to 5.8.2 supported only SSLv3 and TLSv1.0. Through upgrade to OpenSSL v1.0.1, version 5.8.2 adds support for TLSv1.1 and TLSv1.2. Intermapper supports SSLv3 and TLSv1.0 protocols by default. Intermapper's clients request TLSv1.2.
All of Intermapper's SSL-based servers use a single configuration file to control the SSL features supported by your particular Intermapper installation.
Here's what you can control:
These enhancements provide access to newer protocols (TLSv1.1 and TLSv1.2) and a number of new encryption schemes. If TLSv1.1 or TLSv1.2 is enabled, Intermapper's web interfaces (with an appropriate browser) and python clients for Intermapper DataCenter can take advantage of them. Intermapper's Mac and Windows installers include Java 7, which does not enable TLSv1.1 and TLSv1.2. For this reason, TLSv1.0 was still required for Intermapper's Java clients.
Intermapper started shipping Java 8 with version 6.0 The requirement to include TLS 1.0 has been removed for Intermapper 6.2.3 and newer.
An example configuration file named "ssl.conf.example", is installed in the Intermapper_Settings directory.
If available (and readable), all Intermapper servers load "ssl.conf" during startup.
To activate SSL control using the configuration file:
The file contains three elements:
Each requires a value in double-quotes:
Protocols "[configuration string]" Ciphers "[configuration string]" Options "[configuration string]"
# # # ssl.conf for Intermapper Server and Intermapper DataCenter # # The file 'ssl.conf' will be loaded on server startup if it is located in the # root of the Intermapper_Settings folder. # It must be readable by the intermapper user. # # # Protocols - select SSL/TLS protocol versions to support. # # Valid protocols are: # SSLv3 SSL version 3 # TLSv1.0 TLS version 1.0 # TLSv1.1 TLS version 1.1 # TLSv1.2 TLS version 1.2 # TLSv1 all TLS v1.x # ALL all protocols # # This is the default: # Protocols "ALL" # To disable SSLv3: # Protocols "ALL:-SSLv3" # # Ciphers - select ciphers to allow. # # See CIPHER STRINGS in https://www.openssl.org/docs/apps/ciphers.html # # This is the default for Intermapper server: # Ciphers "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH" # # Options - enable or disable SSL server behaviour # # Valid options are: # [+|-]ClientInitiatedRenegotiation # - allow client-initiated session renegotiation # [+|-]CipherServerPreference # - use server preferences for choice of cipher # This is the default: # Options "+ClientInitiatedRenegotiation:-CipherServerPreference"
Comment lines, beginning with "#", and empty lines are ignored.
Under normal installation conditions, the Intermapper Settings directory will be located at:
Mac /Library/Application Support/Intermapper Settings
Linux, Unix /var/local/Intermapper_Settings
Windows c:\ProgramData\Intermapper\Intermapper Settings
This takes the form of a colon-delimited list of protocols that will be supported by the server, from the following:
A prefix of + or - may be applied to enable or disable a protocol; + is assumed if neither is supplied. For example:
Protocols "ALL:-SSLv3"
This enables support for TLSv1.0, TLSv1.1, TLSv1.2, equivalent to "TLSv1". Another example:
Protocols "ALL:-SSLv3:-TLSv1.0:-TLSv1.1"
This disables support for SSLv3, TLSv1.0, and TLSv1.1, and supports a requirement for TLS 1.2.
The servers will negotiate the highest possible protocol version in common with client support. At least one protocol must be supported, or the servers will resort to default configuration (ALL).
Note that Java-based Intermapper clients such as the Intermapper Console and Intermapper RemoteAccess currently require TLSv1.0 support. Without it, they will fail to connect to the Intermapper server.
This is a colon-delimited list of OpenSSL cipher strings, as described in the sections CIPHER LIST FORMAT and CIPHER STRINGS in the document:
https://www.openssl.org/docs/apps/ciphers.html
The Intermapper server default is:
Ciphers "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"
The --ciphers argument to the Intermapper server program can be used to list cipher suites. It is functionally equivalent to the 'openssl cipher -v ' command described in the above document. A cipherlist of ALL will show all supported ciphers, DEFAULT will show the Intermapper default (without further configuration), and anything else will be interpreted as a cipherlist to be decoded.
Here's the full list of cipher suites available at the server:
# /usr/local/bin/intermapperd --ciphers ALL SSL library: OpenSSL 1.0.1j 15 Oct 2014 (SSLv3,TLSv1.0,TLSv1.1,TLSv1.2) Showing all available ciphers: ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384 ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384 ECDHE-RSA-AES256-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1 ECDHE-ECDSA-AES256-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA1 SRP-DSS-AES-256-CBC-SHA SSLv3 Kx=SRP Au=DSS Enc=AES(256) Mac=SHA1 SRP-RSA-AES-256-CBC-SHA SSLv3 Kx=SRP Au=RSA Enc=AES(256) Mac=SHA1 SRP-AES-256-CBC-SHA SSLv3 Kx=SRP Au=SRP Enc=AES(256) Mac=SHA1 DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(256) Mac=AEAD DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256 DHE-DSS-AES256-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AES(256) Mac=SHA256 DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1 DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1 DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA1 DHE-DSS-CAMELLIA256-SHA SSLv3 Kx=DH Au=DSS Enc=Camellia(256) Mac=SHA1 ECDH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(256) Mac=AEAD ECDH-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(256) Mac=AEAD ECDH-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(256) Mac=SHA384 ECDH-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256) Mac=SHA384 ECDH-RSA-AES256-SHA SSLv3 Kx=ECDH/RSA Au=ECDH Enc=AES(256) Mac=SHA1 ECDH-ECDSA-AES256-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256) Mac=SHA1 AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEAD AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA256 AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 CAMELLIA256-SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(256) Mac=SHA1 PSK-AES256-CBC-SHA SSLv3 Kx=PSK Au=PSK Enc=AES(256) Mac=SHA1 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256 ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256 ECDHE-RSA-AES128-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1 ECDHE-ECDSA-AES128-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA1 SRP-DSS-AES-128-CBC-SHA SSLv3 Kx=SRP Au=DSS Enc=AES(128) Mac=SHA1 SRP-RSA-AES-128-CBC-SHA SSLv3 Kx=SRP Au=RSA Enc=AES(128) Mac=SHA1 SRP-AES-128-CBC-SHA SSLv3 Kx=SRP Au=SRP Enc=AES(128) Mac=SHA1 DHE-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(128) Mac=AEAD DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256 DHE-DSS-AES128-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AES(128) Mac=SHA256 DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1 DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1 DHE-RSA-SEED-SHA SSLv3 Kx=DH Au=RSA Enc=SEED(128) Mac=SHA1 DHE-DSS-SEED-SHA SSLv3 Kx=DH Au=DSS Enc=SEED(128) Mac=SHA1 DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(128) Mac=SHA1 DHE-DSS-CAMELLIA128-SHA SSLv3 Kx=DH Au=DSS Enc=Camellia(128) Mac=SHA1 ECDH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(128) Mac=AEAD ECDH-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(128) Mac=AEAD ECDH-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(128) Mac=SHA256 ECDH-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128) Mac=SHA256 ECDH-RSA-AES128-SHA SSLv3 Kx=ECDH/RSA Au=ECDH Enc=AES(128) Mac=SHA1 ECDH-ECDSA-AES128-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128) Mac=SHA1 AES128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEAD AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256 AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1 SEED-SHA SSLv3 Kx=RSA Au=RSA Enc=SEED(128) Mac=SHA1 CAMELLIA128-SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(128) Mac=SHA1 PSK-AES128-CBC-SHA SSLv3 Kx=PSK Au=PSK Enc=AES(128) Mac=SHA1 ECDHE-RSA-RC4-SHA SSLv3 Kx=ECDH Au=RSA Enc=RC4(128) Mac=SHA1 ECDHE-ECDSA-RC4-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=RC4(128) Mac=SHA1 ECDH-RSA-RC4-SHA SSLv3 Kx=ECDH/RSA Au=ECDH Enc=RC4(128) Mac=SHA1 ECDH-ECDSA-RC4-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=RC4(128) Mac=SHA1 RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 PSK-RC4-SHA SSLv3 Kx=PSK Au=PSK Enc=RC4(128) Mac=SHA1 ECDHE-RSA-DES-CBC3-SHA SSLv3 Kx=ECDH Au=RSA Enc=3DES(168) Mac=SHA1 ECDHE-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=3DES(168) Mac=SHA1 SRP-DSS-3DES-EDE-CBC-SHA SSLv3 Kx=SRP Au=DSS Enc=3DES(168) Mac=SHA1 SRP-RSA-3DES-EDE-CBC-SHA SSLv3 Kx=SRP Au=RSA Enc=3DES(168) Mac=SHA1 SRP-3DES-EDE-CBC-SHA SSLv3 Kx=SRP Au=SRP Enc=3DES(168) Mac=SHA1 EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1 EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1 ECDH-RSA-DES-CBC3-SHA SSLv3 Kx=ECDH/RSA Au=ECDH Enc=3DES(168) Mac=SHA1 ECDH-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=3DES(168) Mac=SHA1 DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 PSK-3DES-EDE-CBC-SHA SSLv3 Kx=PSK Au=PSK Enc=3DES(168) Mac=SHA1 EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH Au=DSS Enc=DES(56) Mac=SHA1 DES-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1 export EXP-DES-CBC-SHA SSLv3 Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-RC2-CBC-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
This output comes direct from the OpenSSL library. The columns are: cipher suite, the minimum protocol version for that cipher suite, key exchange (Kx) algorithm, authentication (Au) algorithm and key size, hashing algorithm (Mac), and the final column indicates whether or not the scheme is an export version.
You can look at a potential Ciphers configuration by specifying it as a parameter to the --ciphers command-line option. On Mac, Linux and Unix, be sure to use single quotes to enclose the string, as shells will expand exclamation marks:
# /usr/local/bin/intermapperd --ciphers 'RC4:@STRENGTH' SSL library: OpenSSL 1.0.1j 15 Oct 2014 (SSLv3,TLSv1.0,TLSv1.1,TLSv1.2) Showing custom cipher list: ECDHE-RSA-RC4-SHA SSLv3 Kx=ECDH Au=RSA Enc=RC4(128) Mac=SHA1 ECDHE-ECDSA-RC4-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=RC4(128) Mac=SHA1 AECDH-RC4-SHA SSLv3 Kx=ECDH Au=None Enc=RC4(128) Mac=SHA1 ADH-RC4-MD5 SSLv3 Kx=DH Au=None Enc=RC4(128) Mac=MD5 ECDH-RSA-RC4-SHA SSLv3 Kx=ECDH/RSA Au=ECDH Enc=RC4(128) Mac=SHA1 ECDH-ECDSA-RC4-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=RC4(128) Mac=SHA1 RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 PSK-RC4-SHA SSLv3 Kx=PSK Au=PSK Enc=RC4(128) Mac=SHA1 EXP-ADH-RC4-MD5 SSLv3 Kx=DH(512) Au=None Enc=RC4(40) Mac=MD5 export EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export EXP-RC4-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
On Windows, use double-quotes to enclose the string:
C:\>"\Program Files\Intermapper\Intermapper.exe" --ciphers "ALL:!ADH:!AES:!MD5:!DES:!RC4:!CAMELLIA:!CBC3:!PSK:!SRP" SSL library: OpenSSL 1.0.1j 15 Oct 2014 (SSLv3,TLSv1.0,TLSv1.1,TLSv1.2) Showing custom cipher list: DHE-RSA-SEED-SHA SSLv3 Kx=DH Au=RSA Enc=SEED(128) Mac=SHA1 DHE-DSS-SEED-SHA SSLv3 Kx=DH Au=DSS Enc=SEED(128) Mac=SHA1 SEED-SHA SSLv3 Kx=RSA Au=RSA Enc=SEED(128) Mac=SHA1 ECDHE-RSA-DES-CBC3-SHA SSLv3 Kx=ECDH Au=RSA Enc=3DES(168) Mac=SHA1 ECDHE-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=3DES(168) Mac=SHA1 EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1 EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1 AECDH-DES-CBC3-SHA SSLv3 Kx=ECDH Au=None Enc=3DES(168) Mac=SHA1 ECDH-RSA-DES-CBC3-SHA SSLv3 Kx=ECDH/RSA Au=ECDH Enc=3DES(168) Mac=SHA1 ECDH-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=3DES(168) Mac=SHA1 DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
Note that you must configure at least one cipher that is available for your chosen protocol list (i.e. there's no point limiting yourself to ciphers only available with TLSv1.2 if you are not enabling, or will not always connect with, that protocol).
This is a colon-delimited list of Intermapper-specific settings.
Two options are currently available:
The defaults are:
Options "+ClientInitiatedRenegotiation:-CipherServerPreference"
Security advice available on the web often describes Apache (mod_ssl) configuration directives to mitigate vulnerabilities. Here we discuss how they map to our ssl.conf settings.
SSLProtocol
Quite similar to Protocols, but note:
SSLCipherSuite
SSLHonorCipherOrder
SSLInsecureRenegotiation
SSLCompression
A few words about some of the new log entries you might see in the various log files.
Warning: SSL protocol configuration does not enable TLSv1.0. Connections from Intermapper clients may fail.
In Intermapper 6.2.2 and earlier, our Java UIs (IM Console and IMRA) require TLSv1.0.
Check that it is not disabled in ssl.conf.
SSL library: OpenSSL 1.0.1j 15 Oct 2014
Use Certificate: /C=US/ST=Minnesota/L=Eden Prairie/O=HelpSystems, LLC/OU=Demo Certificate (insecure)/CN=low-security.helpsystems.com/[email protected]
Not Before: Aug 8 14:47:19 2014 GMT, Not After: Aug 8 14:47:19 2015 GMT
SSL server protocols: TLSv1.0 TLSv1.1 TLSv1.2
Using custom SSL server cipher list ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH
The above, in the Debug log, is a typical startup sequence. Here we have overridden the default protocols to disable SSLv3, and we have explicitly defined a cipher list.
SSL server preference for cipher selection enabled
SSL client initiated session renegotiation disabled
Here we have reversed the defaults for both supported entries in Options in ssl.conf.
Error setting custom SSL cipher list (invalid ciphers)
Using default SSL server cipher list ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH
Indicates that the Ciphers list in ssl.conf was rejected by the underlying SSL support, and the default cipher list was used in place.
09:40:09 SSLError(1) - 336109835 = error:1408A10B:SSL routines:SSL3_GET_CLIENT_HELLO:wrong version number
09:40:09 SSLError(1) - 336027900 = error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
09:40:09 SSLError(1) - 336109761 = error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
These are not new messages, but they show failures by a client to connect to the Intermapper server. In this case it was due to an SSLv3-only client attempting to connect when SSLv3 had been disabled in ssl.conf. Check Protocols and Ciphers in ssl.conf.
16:22:15 SSLError(1) - 336130329 = error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac
16:22:15 SSLError(1) - 336027900 = error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
Similar to the above. These two together are typical of the case where a client which only supports earlier SSL/TLS protocol versions, attempts to connect to a server where those versions have been disabled in favour of later protocol versions. To fix: re-enable protocols in ssl.conf.
10:07:13 SSL: rejecting client session renegotiation attempt from 127.0.0.1:43552
A client connection has been closed because it attempted to perform session renegotiation, with the ClientInitiatedRenegotiation option disabled in ssl.conf.
2014-11-05 09:44:25 INFO Loading SSL configuration from /var/local/Intermapper_Settings/ssl.conf
Indicates that the SSL configuration file ssl.conf has been located and will be loaded.
2014-11-05 09:49:30 WARNING Ignoring unrecognised token MISSPELT in SSL configuration line 25
Indicates an error in the ssl.conf configuration file.
2014-11-05 09:51:01 REASON Technical Information: <class 'OpenSSL.SSL.Error'> [('SSL routines', 'SSL_CTX_set_cipher_list', 'no cipher match')] ['Traceback (most recent call last):\n', ' File "/imdc/main.py", line 404, in \n', ' File "/imdc/server.py", line 209, in __init__\n', ' File "/imdc/server.py", line 366, in loadCertificateServer\n', "Error: [('SSL routines', 'SSL_CTX_set_cipher_list', 'no cipher match')]\n"]
2014-11-05 09:51:01 CRITICAL Sorry, IMDC can't recover from the above problem, and must shut down.
This indicates a more serious problem with ssl.conf. Here, the Ciphers list was rejected by the underlying SSL support services because the list did not resolve to any supported ciphers. Check both Protocols and Ciphers configuration.
2014-11-05 09:44:46 INFO SSL: rejecting client session renegotiation attempt from 10.4.1.129:53421
A client connection has been closed because it attempted to perform session renegotiation, with the ClientInitiatedRenegotiation option disabled in ssl.conf.
Further information on SSL vulnerabilities may be found at:
https://www.openssl.org/news/vulnerabilities.html
We now use OpenSSL v1.0.1j in both Intermapper Server and Intermapper DataCenter.
The Intermapper server default is to disallow low grade encryption schemes, through use of "!LOW:!EXP" in the cipher list.
IMDC server uses the OpenSSL default which includes low grade encryption schemes. To upgrade it to the default level of Intermapper server, use the following suggested default in ssl.conf:
Ciphers "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"
Not vulnerable as we do not support SSLv2.
Customers concerned about this vulnerability can address it by disabling SSLv3 in the ssl.conf file, which is the simplest and most compatible fix.
Protocols "ALL:-SSLv3"
This configuration is compatible with older Intermapper clients — which will continue to use TLSv1.0.
Not vulnerable as we now use a version of OpenSSL greater than 1.0.1g.
Not vulnerable as we now use a version of OpenSSL greater than 1.0.1h.
The version of OpenSSL we now use has support for secure session renegotiation (RFC5746). However, this will not be supported by older clients, and some scanners might complain that client-initiated session renegotiation is supported at all. Such renegotiation may be completely disabled through the following configuration in ssl.conf:
Options "-ClientInitiatedRenegotiation"
At the time of writing, Intermapper does not require client-initiated session renegotiation, so the feature may be disabled and still preserve compatibility with older Intermapper clients.
Not vulnerable as SSL compression is disabled.
Not vulnerable as HTTP-level compression is disabled.
Consider the following opinion:
https://community.qualys.com/blogs/securitylabs/2013/09/10/is-beast-still-a-threat
It is possible to mitigate this threat by disabling SSLv3 and TLSv1.0. However, our current Java UI clients (IM Console and IM RemoteAccess) require TLSv1.0 support.
There are alternative methods, such as favouring stream ciphers such as RC4, but this is no longer recommended due to vulnerabilities in RC4 schemes.
Not vulnerable as we now use a version of OpenSSL greater than 1.0.1g.
Not vulnerable as we now use a version of OpenSSL greater than 1.0.1g.
Not vulnerable as we now use a version of OpenSSL greater than 1.0.1g.
Not vulnerable as we now use a version of OpenSSL greater than 1.0.1g.
Not vulnerable as we now use a version of OpenSSL greater than 1.0.1f.
Not vulnerable as we now use a version of OpenSSL greater than 1.0.1g.
Still have questions? We can help. Submit a case to Technical Support.