Changing ciphers

The SOAR Platform is configured to use the most secure ciphers. You can modify the list of ciphers by updating the co3.properties file.

About this task

A cipher suite is a collection of cryptographic algorithms that are used to create secure (TLS) internet connections, and to encrypt and verify data that is sent over these connections. The SOAR Platform uses TLS cipher suites to establish TLS connections to external hosts such as email and threat information servers.

The SOAR Platform supports TLS v1.2 connections only.

By default, the system is configured to use the MOST_SECURE ciphers:
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1)
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1)
For compatibility with earlier versions, you can configure the system to use the following DEPRECATED_CIPHERS.
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1)
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1)
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1)
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1)
  • TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048)
  • TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048)
  • TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048)
  • TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048)
  • TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048)
If nmap is installed on your system and you know the IP address of the SOAR Platform, enter the following command to view the list of ciphers currently in use. Nmap is not installed on the SOAR Platform.
nmap -p 443 --script ssl-enum-ciphers <ip_address>

To change the list of ciphers, complete the following procedure.

Procedure

  1. Use an editor to open the co3.properties file, which is located in the /usr/share/co3/conf/ directory.
  2. Add a resCiphers variable if necessary.
  3. In the variable, specify the ciphers that you want to use in the order in which you want to use them:
    • To use the most secure ciphers and maintain compatibility with earlier versions, specify resCiphers=MOST_SECURE,DEPRECATED_CIPHERS.
    • To use a custom cipher followed by the most secure ciphers, specify the custom cipher and then the MOST SECURE variable separated by a comma, for example: resCiphers=SSL_RSA_WITH_RC4_128_MD5,MOST_SECURE.
  4. Restart the messaging service, as follows. 
    sudo systemctl restart resilient-messaging.service
  5. Use the nmap command again to verify that your changes were made. If not, you need to modify the properties file and try again. Changes might not take effect immediately because of caching.