TLS protocol version used for connecting to StruxureWare Data Center Expert?

greg.diel · ‎2022-07-20

Hello all. I have searched around in here looking for a specific answer but have not been able to locate anything. Does anyone know what specific version of TLS is used for the SSL connection when connecting to the server from the client software.

We are currently running DCE 7.4.1.5 and I am in the process of getting a new VM deployed to drop the 7.9.0.192 OVA onto and build from scratch.

TLS version is one of the items on our security checklist and i cannot find any documentation of protocol version, TLS 1.2 or TLS 1.3. Does anyone know?

JLehr · ‎2022-07-20

Hi @greg.diel,

There are changes in the DCE 7.9.0 UI as documented in the DCE 7.9.0 release notes:

The SSL option in the Server Access > Web server tab was removed. Private proxy and web server SSL/TLS are now included in a security policy you select.

The System > Server Administration Settings > Server Access option now includes a Security Policy tab. You select one of the cryptographic policies supported by the Data Center Expert server:

Future: Experimental. Most restrictive to withstand near-term future attacks
Default: Secure settings for current threat models
Legacy: Least restrictive for maximum compatibility
DCE: Recommended. Custom policy, less restrictive than Default and more restrictive than Legacy

The DCE policy is selected by default. The DCE policy is similar to the LEGACY policy except that it does not allow any RC4 or 3DES based ciphers.

These policies are applied consistently to running services and are kept up-to-date as part of Data Center Expert software updates.

See the documentation for security policy definitions from Red Hat here.

The latest version of DCE is 7.9.1. The DCE 7.9.1 release notes are here.

You might also find the DCE Sizing guide helpful.

Best,

Jackie

greg.diel · ‎2022-07-21

Thanks you for those links however I couldn't find any documentation that specifically calls out what version of TLS is used. We have a security checklist that requires that information.

Data in TRANSIT. All Restricted and Confidential data must be encrypted in transit.

What TLS version(s) is in use?

☐ TLS 1.2

☐ TLS 1.3

☒ Other:

What cipher is used? (e.g. AES)
What is the key length? (e.g. 256-bit)

Anyone have any idea where this is documented?

Shaun · ‎2022-07-21

Hi @greg.diel

These are the cipher suites currently in use in 7.9.1 - the four policies can be selected from in the DCE client.

These can and will change in the future, by design, so this information will age, and is only tested against the currently released 7.9.1.

Default vs DCE - it's worth being clear on the naming here, Default is the name of RedHat's default policy. DCE is the DCE's default policy. So the policy named Default is not the out-of-the-box default.

These tables are the result of in-situ testing. I don't know if we have this formally documented anywhere, and I wouldn't want to commit to it until I've automated producing these tables.

	Future	Default	DCE	Legacy
TLSv1.2	Y	Y	Y	Y
TLSv1.1			Y	Y
TLSv1.0			Y	Y

	Future	Default	DCE	Legacy
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA				Y
TLS_DHE_RSA_WITH_AES_128_CBC_SHA		Y	Y	Y
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256		Y	Y	Y
TLS_DHE_RSA_WITH_AES_128_CCM		Y	Y	Y
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256		Y	Y	Y
TLS_DHE_RSA_WITH_AES_256_CBC_SHA		Y	Y	Y
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256		Y	Y	Y
TLS_DHE_RSA_WITH_AES_256_CCM	Y	Y	Y	Y
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384	Y	Y	Y	Y
TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256	Y	Y	Y	Y
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA				Y
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA		Y	Y	Y
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256		Y	Y	Y
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256		Y	Y	Y
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA		Y	Y	Y
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384	Y	Y	Y	Y
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256	Y	Y	Y	Y
TLS_ECDHE_RSA_WITH_RC4_128_SHA				Y
TLS_RSA_WITH_3DES_EDE_CBC_SHA				Y
TLS_RSA_WITH_AES_128_CBC_SHA		Y	Y	Y
TLS_RSA_WITH_AES_128_CBC_SHA256		Y	Y	Y
TLS_RSA_WITH_AES_128_CCM		Y	Y	Y
TLS_RSA_WITH_AES_128_GCM_SHA256		Y	Y	Y
TLS_RSA_WITH_AES_256_CBC_SHA		Y	Y	Y
TLS_RSA_WITH_AES_256_CBC_SHA256		Y	Y	Y
TLS_RSA_WITH_AES_256_CCM		Y	Y	Y
TLS_RSA_WITH_AES_256_GCM_SHA384		Y	Y	Y
TLS_RSA_WITH_RC4_128_SHA				Y

Nelson84654 · ‎2022-07-23

Have you found a solution for this, I have exactly the same.