Troubleshooting
Problem
How to ensure that Guardium appliances accept only 128 bit or higher strength encryption SSL ciphers?
Symptom
Third party vulnerability scan may indicate that Guardium appliances are accepting weak or medium strength SSL encryption ciphers
Cause
Known issue with CLI command: store ssl_ciphers
Environment
All Guardium appliances from v8.x to v9.1 p300 GPU
Diagnosing The Problem
Third party vulnerability scan results may indicate a weak or medium SSL cipher vulnerability with a summary such as: "The remote service supports the use of medium strength SSL ciphers ".
Resolving The Problem
Ad-hoc patch p6007 is available on fix central to resolve this problem.
Ensure you install the correct p6007 for your major version of Guardium:
- For v9 - SqlGuard_9.0p6007_SecurityUpdate
- For v8.2 - SqlGuard_8.2p6007_SecurityUpdate
Notes on Patch installation:
1) Apply patch on Central Manager first, then distribute to all managed units. The patch can be re-installed if needed.
2) The patch will restart the GUI and sniffer automatically.
3) If a CLI session was open before (or while) installing the patch, that CLI session must be closed after patch installation, and a new one CLI session should be opened before using the store ssl_ciphers CLI command (to avoid corrupting tomcat's server.xml file).
If the store ssl_ciphers CLI command is accidentally executed on the original CLI session, the patch must be re-installed.
4) After installing the fix patch, use the CLI command: store ssl_ciphers to set the cipher strength as desired. If the ssl cipher is changed, the command will ask to restart inspection-core for the changes to take effect.
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21692408