TLS/SSL Server Supports The Use of Static Key Ciphers
'The server is configured to support ciphers known as static key ciphers. These ciphers don't support “Forward Secrecy”. In the new specification for HTTP/2, these ciphers have been blacklisted.'
ClearCenter response
This protocol is needed to support older browsers in the ability to update to newer browsers.
Short response
Because ClearOS is often used as a first line of defense for weaker systems, static-based ciphers are still included in ClearOS for backwards compatibility. This enables newly provisioned, legacy systems to get updates and fixes in order to modernize them. It is the browser that will negotiate lower or higher forms of encryption. To ensure that you communications are not compromised, please update ensure that your browser is up to date. Modern browsers can only use more modern methods which preclude static ciphers which have been disallowed in HTTPv2.
Long response
Because ClearOS is often used as a first line of defense for weaker systems, static-based ciphers are still included in ClearOS for backwards compatibility. This enables newly provisioned, legacy systems to get updates and fixes in order to modernize them. It is the browser that will negotiate lower or higher forms of encryption. To ensure that you communications are not compromised, please update ensure that your browser is up to date. Modern browsers can only use more modern methods which preclude static ciphers which have been disallowed in HTTPv2.
The risk here is in the data exchange being snooped by an outside listener who can then use the entirety of the message as a basis for decryption. Modern and updated systems will not be affected and the protocol is included in order to give older machines the opportunity to use tools to upgrade themselves. If your system is not a gateway or infrastructure piece to systems which need a path to upgrade to more modern systems, feel free to disable this protocol.
Resolution
If your ClearOS system is not involved with client workstations that may need to update to newer versions or patch levels (ie. not a gateway or proxy for older workstations looking to get updates), you can likely disable 3DES without any loss of function to older computers that HAVE already achieved update status. To disable 3DES, repeat this process for both Webconfig and the Web Server app (if installed):
Modify the following files for Webconfig (ClearOS 7):
/usr/clearos/sandbox/etc/httpd/conf.d/framework.conf /usr/clearos/sandbox/etc/httpd/conf.d/ssl.conf
Modify the 'SSLCipherSuite' to be the following (feel free to comment the existing and add the following):
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
Test the connection with the following:
openssl s_client -cipher ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES -connect localhost:81
You should get output similar to this indicating that these methods are not allowed:
CONNECTED(00000003) 140259018504080:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:769: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 141 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1538578149 Timeout : 300 (sec) Verify return code: 0 (ok) ---
Make sure to restart Webconfig (and httpd for Web Server, if installed and reconfigured) to make sure your services go into effect:
systemctl restart webconfig
systemctl restart httpd