EcoStruxure IT forum
A support forum for Data Center Operation, Data Center Expert, and EcoStruxure IT product users to share knowledge on installation, configuration, and general product use.
Posted: 2022-07-20 10:01 AM
Hello all. I have searched around in here looking for a specific answer but have not been able to locate anything. Does anyone know what specific version of TLS is used for the SSL connection when connecting to the server from the client software.
We are currently running DCE 7.4.1.5 and I am in the process of getting a new VM deployed to drop the 7.9.0.192 OVA onto and build from scratch.
TLS version is one of the items on our security checklist and i cannot find any documentation of protocol version, TLS 1.2 or TLS 1.3. Does anyone know?
Posted: 2022-07-20 11:28 AM
Hi @greg.diel,
There are changes in the DCE 7.9.0 UI as documented in the DCE 7.9.0 release notes:
The SSL option in the Server Access > Web server tab was removed. Private proxy and web server SSL/TLS are now included in a security policy you select.
The System > Server Administration Settings > Server Access option now includes a Security Policy tab. You select one of the cryptographic policies supported by the Data Center Expert server:
The DCE policy is selected by default. The DCE policy is similar to the LEGACY policy except that it does not allow any RC4 or 3DES based ciphers.
These policies are applied consistently to running services and are kept up-to-date as part of Data Center Expert software updates.
See the documentation for security policy definitions from Red Hat here.
The latest version of DCE is 7.9.1. The DCE 7.9.1 release notes are here.
You might also find the DCE Sizing guide helpful.
Best,
Jackie
Posted: 2022-07-21 11:51 AM
Thanks you for those links however I couldn't find any documentation that specifically calls out what version of TLS is used. We have a security checklist that requires that information.
What TLS version(s) is in use?
☐ TLS 1.2 | ☐ TLS 1.3 | ☒ Other: |
Anyone have any idea where this is documented?
Posted: 2022-07-21 02:45 PM
Hi @greg.diel
These are the cipher suites currently in use in 7.9.1 - the four policies can be selected from in the DCE client.
These can and will change in the future, by design, so this information will age, and is only tested against the currently released 7.9.1.
Default vs DCE - it's worth being clear on the naming here, Default is the name of RedHat's default policy. DCE is the DCE's default policy. So the policy named Default is not the out-of-the-box default.
These tables are the result of in-situ testing. I don't know if we have this formally documented anywhere, and I wouldn't want to commit to it until I've automated producing these tables.
Future | Default | DCE | Legacy | |
TLSv1.2 | Y | Y | Y | Y |
TLSv1.1 | Y | Y | ||
TLSv1.0 | Y | Y |
Future | Default | DCE | Legacy | |
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
|
Y | |||
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
|
Y | Y | Y | |
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
|
Y | Y | Y | |
TLS_DHE_RSA_WITH_AES_128_CCM
|
Y | Y | Y | |
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
|
Y | Y | Y | |
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
|
Y | Y | Y | |
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
|
Y | Y | Y | |
TLS_DHE_RSA_WITH_AES_256_CCM
|
Y | Y | Y | Y |
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
|
Y | Y | Y | Y |
TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
|
Y | Y | Y | Y |
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
|
Y | |||
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
|
Y | Y | Y | |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
|
Y | Y | Y | |
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
|
Y | Y | Y | |
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
|
Y | Y | Y | |
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
|
Y | Y | Y | Y |
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
|
Y | Y | Y | Y |
TLS_ECDHE_RSA_WITH_RC4_128_SHA
|
Y | |||
TLS_RSA_WITH_3DES_EDE_CBC_SHA
|
Y | |||
TLS_RSA_WITH_AES_128_CBC_SHA
|
Y | Y | Y | |
TLS_RSA_WITH_AES_128_CBC_SHA256
|
Y | Y | Y | |
TLS_RSA_WITH_AES_128_CCM
|
Y | Y | Y | |
TLS_RSA_WITH_AES_128_GCM_SHA256
|
Y | Y | Y | |
TLS_RSA_WITH_AES_256_CBC_SHA
|
Y | Y | Y | |
TLS_RSA_WITH_AES_256_CBC_SHA256
|
Y | Y | Y | |
TLS_RSA_WITH_AES_256_CCM
|
Y | Y | Y | |
TLS_RSA_WITH_AES_256_GCM_SHA384
|
Y | Y | Y | |
TLS_RSA_WITH_RC4_128_SHA
|
Y |
Posted: 2022-07-23 04:56 AM
Have you found a solution for this, I have exactly the same.
Create your free account or log in to subscribe to the forum - and gain access to more than 10,000+ support articles along with insights from experts and peers.