SSL RC4 cipher problems

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

SSL RC4 cipher problems

4D Tech mailing list
Hi,

I'm using 4D 15.4 build 15.208269. Am running into problems with web pages served by the 4D Web Server via SSL (https) being rejected by browsers (Chrome, Firefox) for having an insecure algorithm (RC4). It's recommended to change the settings on the server to disable this cipher.

I think I can do this via the SET DATABASE PARAMETER using option 64, SSL cipher list.

However, when I use Get database parameter using this option (to see what's currently set and then just modify this), the result is a blank string for "$vList":

C_TEXT($vList)
$vNotUsed:=Get database parameter(SSL cipher list;$vList)

What am I doing wrong?

I've tried this on both 4D standalone as well as 4D Server. Same result; nothing returned for the cipher list.

The https://ssldecoder.org site shows the following ciphers in use for the web server running under 4D v15.4:

AES256-GCM-SHA384
AES256-SHA256
AES256-SHA
CAMELLIA256-SHA
AES128-GCM-SHA256
AES128-SHA256
AES128-SHA
CAMELLIA128-SHA
RC4-SHA

So, I think all I need to do is disable the RC4 cipher and that should fix the problem, no? I think all I need to do is add a "!" before the RC4 ciphers in the list to disable it. Then web browsers should stop complaining and serve up the pages without problem, correct?

But, if Get database parameter isn't working (or I'm doing something wrong), I'm very hesitant to apply SET DATABASE PARAMETER to change anything.

Anybody else run into this, and have a solution?

Thanks!

Michael Larue
Dimension IV Consulting, LLC
**********************************************************************
4D Internet Users Group (4D iNUG)
FAQ:  http://lists.4d.com/faqnug.html
Archive:  http://lists.4d.com/archives.html
Options: http://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:[hidden email]
**********************************************************************
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SSL RC4 cipher problems

4D Tech mailing list
I think you need to specifically set a list with SET,
or else the default hard-coded setting is used but the function returns "".

you could set a value found here

https://wiki.mozilla.org/Security/Server_Side_TLS

and compare the results (you don't need to restart the web server)

> 2017/05/23 7:43、larue via 4D_Tech <[hidden email]> のメール:
> What am I doing wrong?




**********************************************************************
4D Internet Users Group (4D iNUG)
FAQ:  http://lists.4d.com/faqnug.html
Archive:  http://lists.4d.com/archives.html
Options: http://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:[hidden email]
**********************************************************************
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SSL RC4 cipher problems

4D Tech mailing list
In reply to this post by 4D Tech mailing list
Hi Keisuke,

Many thanks for your prompt reply!

> I think you need to specifically set a list with SET,
> or else the default hard-coded setting is used but the function returns "".

Interesting. Since I wasn't getting any result back from the GET function, I was a little hesitant to try the SET function, in case this screwed things up.

I downloaded the "10-07_SSLKeys_CipherList" tech note, which was originally written for version 11 I think; I opened it under version 12, and it worked as expected (showing the "default" ciphers on the right pane when the window is first opened). However, when opening under version 15, the default cipher list was blank.

Looking at the code, as expected, it's using the GET and SET database parameter 64 call; however, under version 12 the GET works without any prior call to SET required to show what's the default. Apparently this was changed (broken) in v15.

OK, I'll give this a try (using the SET) to see if the GET will then work (and it won't blow up my SSL :-).

> you could set a value found here

Tim Penner actually wrote in the thread "RE: Most Current Cipher List for 4D and questions regarding OpenSSL versions being used" back on Dec 6, 2016, that he's using this suite:

"EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-"+"SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:A"+"ES128-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"

This looks good to me; as mentioned, I mainly want to get rid of RC4 so the browsers won't complain, which it looks like this should do (the "!RC4" listed at the end).

Is there anything else I should look at or be aware of in order to fix this problem (browser complaining about insecure SSL)?

For implementation, looks like all I need to do is call SET DATABASE PARAMETER with this list, then START WEB SERVER and all should be well, yes? I'm running the web server on 4D Client, so I assume this won't survive a restart of 4D, but must be called each time prior to starting the web server, yes?

Again, many thanks for your prompt reply!

Cheers!

Michael Larue
Dimension IV Consulting, LLC
**********************************************************************
4D Internet Users Group (4D iNUG)
FAQ:  http://lists.4d.com/faqnug.html
Archive:  http://lists.4d.com/archives.html
Options: http://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:[hidden email]
**********************************************************************
Loading...