How to disable an encryption cipher on the CSA (Cloud Service Appliance)

Version 6

    Verified Product Versions

    LANDESK Management Suite 9.6

    Issue:

    A security administrator would like to disable a specific cipher on the CSA because internal vulnerability scans may have identified it as harmful.

    3DES on port 443 is a common flag (Scroll to the bottom).

     

     

    General Solution:

    (Make sure you copy your preexisting encryption cipher to an external document just in case you need to revert back)

    1) While logged into the Cloud Service Appliance > Gateway Service Configuration > Encryption Ciphers. Comment out the cipher by placing a "!" at the beginning of the string containing the offending encryption without the quotes. (See example below)

    2) Save changes

    3) Remove the self-signed certificate

    • Click Manage LDMG Certificate in the left column
    • Locate any self-signed certificates and remove them. (They will rebuild themselves on reboot)

    4) Reboot the CSA

     

     

    Full Example:

    How to comment out 3DES on port 443:

     

    LANDesk's default encryption cipher (CSA ver. 176-182):

    EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:!ADH:!IDEA

     

    Edited encryption cipher: (Notice the red exclamations. There should be 3 total added by the administrator to comment out 3DES)

    EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:!ECDHE-RSA-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:!DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:!ADH:!IDEA