How to allow or block TLS and SSH ciphers using the Cipher Control feature

05/04/2020 16 3848

DESCRIPTION:

Cipher control feature was introduced in the feature release firmware version 6.5.4.1 and available on all firmware versions post that. It can be used to allow or block any or all TLS and SSH ciphers.

RESOLUTION:

TLS Ciphers:

We have around 333 TLS ciphers in the list which can be allowed/blocked based on strength, CBC mode support, as well as TLS protocol version.

It can be configured from the MANAGE | Security Configuration | Firewall Settings | Cipher Control tab. We can easily filter them and take the decision to whether block or allow certain ciphers. This functionality applies to DPI-SSL, HTTPS management, and SSL control. The following can be used for filtering the ciphers.

• Strength: Recommended, Secure, Weak, Insecure
• Is CBC: Indicates whether the cipher uses CBC (Cipher-Block Chaining) mode
• TLS version: We have toggle switches for TLS version 1.0 through 1.3
• Action: 

  You can also view all allowed/blocked ciphers using this drop-down

  
  

The red   indicates that the cipher is blocked and the green checkmark    indicates if the property of the column is true for that cipher. You can use the Action drop-down to filter all the blocked/allowed ciphers.

For Eg: The cipher TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 is a CBC cipher and TLS_ECDH_ECDSA_WITH_RC4_128_SHA is blocked as per the screenshot below.

The expected behavior, when a cipher is blocked, is as below. For example, if cipher X is blocked, the expected behavior is:

• DPI-SSL – Cipher X is no longer a part of the TLS context and is not a part of the client advertised ciphers sent by the firewall handshaking with origin server.
• HTTPS MGMT – Cipher X is not a part of the HTTPS MGMT server application running on the firewall. Thus, if a TLS client negotiates just cipher X, the TLS handshake between client and firewall fails.
• SSL Control – As this refers to traffic (other than DPI-SSL decrypted sessions) passing through the firewall, the firewall blocks any TLS connection between origin client and origin server that uses/negotiates Cipher X.

You can also use the display icon   to check if the cipher is applicable to DPI-SSL, HTTPS management, or SSL control.

You can select multiple cipher suites after filtering and use the block and unblock buttons to block or allow the cipher respectively.

SSH Ciphers:

The SSH Ciphers page of MANAGE | Security Configuration -> Firewall Settings -> Cipher Control allows you to specify which cryptographic SSH ciphers SonicOS uses. The SSH ciphers can be allowed/blocked using check/uncheck option based on key exchange algorithm, Public key algorithm, Encryption algorithm as well as MAC algorithm.