In keeping up with secure data transmission practices, these two security aspects need to be addressed on the Storage Platform (SP):
- Vulnerable connections
- Vulnerable operating system configurations
Since Attix5 Pro version V8 (R4), the SP will identify vulnerable cipher suites allowed by the operating system and log warnings on a daily basis in the AccountServer log in the SP Console.
Note: Typical insecure ciphers shown in the logs will be: DHE-related, TripleDES, RC4, and MD5 ciphers. Here's an example:
12:45:59 Warn: The operating system is configured to allow the following known weak cipher suites:
12:45:59 Warn: TLS_RSA_WITH_RC4_128_SHA
12:45:59 Warn: TLS_RSA_WITH_3DES_EDE_CBC_SHA
12:45:59 Warn: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
12:45:59 Warn: TLS_DHE_DSS_WITH_AES_128_CBC_SHA
12:45:59 Warn: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
12:45:59 Warn: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
12:45:59 Warn: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
12:45:59 Warn: TLS_RSA_WITH_RC4_128_MD5
12:45:59 Warn: SSL_CK_RC4_128_WITH_MD5
12:45:59 Warn: SSL_CK_DES_192_EDE3_CBC_WITH_MD5
12:45:59 Warn: TLS_RSA_WITH_NULL_SHA256
12:45:59 Warn: TLS_RSA_WITH_NULL_SHA
Tip: Use the LogAnalyzer to view these entries in the log.
To test for connection vulnerabilities:
- Go to: https://www.ssllabs.com/ssltest/
- Enter your SP's address in the Domain name box and click Submit.
The site will report any weaknesses.
Some vulnerabilities can be addressed by following the relevant steps below:
- To disable all weak ciphers (including RC4) and only use TLS:
See "SChannel vulnerabilities" in FAQ article 279.
- To block insecure renegotiations:
See "Insecure renegotiation" in FAQ article 279.