Obsolete cipher?

security

(richard.salt) #1

We are running Octopus (v2018.3.8) on a Windows Server 2012 R2 (fully patched) with the web portal binding configured over https (using an AlphaSSL certificate)

All is working fine, however, Chrome (v66.0.3359.181) reports this:

“The connection to this site uses TLS 1.2 (a strong protocol), ECDHE_RSA with P-256 (a strong key exchange), and AES_256_CBC with HMAC-SHA1 (an obsolete cipher).”

From Googling around its looks like modern ciphers (like ECDHE/GCM) are not supported pre IIS10 (Win 2016), but I don’t think Octopus GUI is using IIS?

So, my question is: How can I configure the Octopus Web Portal’s ciphers to prevent Chrome reporting “an obsolete cipher”.


(Lawrence Wilson) #2

Hi Richard,
Thanks for getting in touch! I’m sorry for the delay in getting back to you on this one. You are absolutely correct in that Octopus doesn’t run on IIS. Typically the ciphers used in TLS communication are handled directly by the Windows OS and you can configure these settings either in the Windows registry, or using a tool like IISCrypto. I have been doing some reading up on why you might be seeing an issue specifically with AES_256_CBC with HMAC-SHA1 and I believe it may indicate that your Operating System isn’t offering a cipher such as CGM in its list of priorities. I came across an article which may provide some more detail here.

I look forward to hearing if this has been helpful for you!

Kind regards,
Lawrence.


(richard.salt) #3

Hi Lawrence

Many thanks for the helpful links. IISCrypto is a very useful tool for this stuff.

However, after several attempts, I feel I am playing whack-a-mole … I have solved the obsolete cipher, but have now gained an obsolete key exchange :slight_smile:

“The connection to this site uses TLS 1.2 (a strong protocol), RSA (an obsolete key exchange), and AES_256_GCM (a strong cipher).”

I will play around further to see if I can arrive at the magic combination.

Thanks again for the links


(Lawrence Wilson) #4

Hi Richard,
Thanks for keeping in touch! I’m glad to hear IISCrypto is helping you in this case and I’m interested to hear how you go in getting the magic combination.

Kind regards,
Lawrence.