SRX

Expand all | Collapse all

SSL Libraries out of Date SRX240H2

Jump to Best Answer
  • 1.  SSL Libraries out of Date SRX240H2

    Posted 06-17-2019 09:52

    Hello,

     

    Some of my browsers that have restrictions for stronger cipher suites and protocols are unable to connect to the console for the SRX240H2 service gateway.  That leads me to concerns about the SSL/TLS libraries and the version.  Could someone explain to me why  there are weak DH 1024 cipher suites, and no PFS cipher suites?  Are the libraries up to date with the current version of the Junos OS installed 12.3X48-D85?  The self-signed certificate that is issued using a NIST unapproved hashing algorithm currently as well.

     

    Supported Server Cipher(s):
    Preferred TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384 DHE 1024 bits
    Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA256 DHE 1024 bits
    Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA DHE 1024 bits
    Accepted TLSv1.2 256 bits AES256-GCM-SHA384
    Accepted TLSv1.2 256 bits AES256-SHA256
    Accepted TLSv1.2 256 bits AES256-SHA
    Accepted TLSv1.2 128 bits DHE-RSA-AES128-GCM-SHA256 DHE 1024 bits
    Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA256 DHE 1024 bits
    Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA DHE 1024 bits
    Accepted TLSv1.2 128 bits AES128-GCM-SHA256
    Accepted TLSv1.2 128 bits AES128-SHA256
    Accepted TLSv1.2 128 bits AES128-SHA

    SSL Certificate:
    Signature Algorithm: sha1WithRSAEncryption
    RSA Key Strength: 2048

     

     



  • 2.  RE: SSL Libraries out of Date SRX240H2

     
    Posted 06-17-2019 10:27

    This is supported list in D80 (I don't have D85 anywhere):

     

        Accepted  TLS12  256 bits  DHE-RSA-AES256-GCM-SHA384
        Accepted  TLS12  256 bits  DHE-RSA-AES256-SHA256
        Accepted  TLS12  256 bits  DHE-RSA-AES256-SHA
        Accepted  TLS12  256 bits  AES256-GCM-SHA384
        Accepted  TLS12  256 bits  AES256-SHA256
        Accepted  TLS12  256 bits  AES256-SHA
        Accepted  TLS12  128 bits  DHE-RSA-AES128-GCM-SHA256
        Accepted  TLS12  128 bits  DHE-RSA-AES128-SHA256
        Accepted  TLS12  128 bits  DHE-RSA-AES128-SHA
        Accepted  TLS12  128 bits  AES128-GCM-SHA256
        Accepted  TLS12  128 bits  AES128-SHA256
        Accepted  TLS12  128 bits  AES128-SHA
    

    I'm not sure if editing httpd.conf is possible or supported but default accepted ciphers are below.

    <VirtualHost *:443>
      ServerName "xxx"
      DocumentRoot "/html"
      SSLEngine on
      SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:-MEDIUM
      SSLProtocol ALL -SSLV3 -SSLV2 -TLSv1 -TLSv1.1 +TLSv1.2
      SSLCertificateFile "/var/db/certs/system-cert/system-generated.cert"
      SSLCertificateKeyFile "/var/db/certs/system-key-pair/system-generated.priv"
    </VirtualHost>
    

     



  • 3.  RE: SSL Libraries out of Date SRX240H2

    Posted 06-17-2019 11:21

    Thank you for the response.  The question is more about what ssl libraries are in use and what version they are at.  Some of the ciphers in the list are acceptable but could be configured as you have stated in the config... if it is supported.  But my concern is more about what version they are at and what potential security issues may exist as a result of the versioning.



  • 4.  RE: SSL Libraries out of Date SRX240H2
    Best Answer

     
    Posted 06-17-2019 12:12

    OpenSSL appears to be at 1.0.2.r, if that helps. I'm not sure how to determine individual library versions.

     

    % ssh -V
    OpenSSH_6.9, SSH protocols 1.5/2.0, OpenSSL 1.0.2r  26 Feb 2019
    SSH release 12.3X48-D80.4 built by builder on 2019-03-28 01:42:20 UTC
    


  • 5.  RE: SSL Libraries out of Date SRX240H2

    Posted 06-17-2019 12:56

    Well at least openSSL is almost current. https://www.openssl.org/ - 

    28-May-2019 OpenSSL 1.0.2s is now available, including bug fixes
    26-Feb-2019 OpenSSL 1.0.2r is now available, including bug and security fixes

     

    But of the SSH libraries:

    openSSH 8.X recently became available and 6 major branch has long since been deprecated. Any idea on how to bring that to the right person's attention?  I am not eligible for a support maintaneance agreement because I purchased my SRX SG from a reseller  😞



  • 6.  RE: SSL Libraries out of Date SRX240H2

     
    Posted 06-17-2019 19:06

    Hello,

     

    In the 12.3 release train the focus would be more on the bug fixes in JUNOS. With 18.4 and 19.1 I see we are on version 7 of openSSH.

     

    % ssh -V
    OpenSSH_7.3, SSH protocols 1.5/2.0, OpenSSL 1.0.2q 20 Nov 2018
    SSH release 18.4R20190305_2020_builder built by builder on 2019-03-05 20:24:04 UTC

     

    I hope this helps. Regards,

     

    Vikas



  • 7.  RE: SSL Libraries out of Date SRX240H2

    Posted 06-18-2019 08:14

    Does that mean because the 12.3 release train is older that there won't be any security updates to the core components like openSSH?



  • 8.  RE: SSL Libraries out of Date SRX240H2

     
    Posted 06-18-2019 21:41

    Hi,

     

    12.3 code is still not end of engineering support. Support for the same will end next year.

     

    https://support.juniper.net/support/eol/software/junos/

     

    While, the focus in the 12.3 code would be more on the bug fixes related to JUNOS, I doubt if the SSH version would change. But I cannot confirm the same. If you have access to a Juniper Partner / Accounts team, they can get this information for you.

     

    I hope this answers your question.

     

    Regards,

     

    Vikas



  • 9.  RE: SSL Libraries out of Date SRX240H2

    Posted 06-19-2019 08:11

    Yea, I don't have access, as stated above I purchased my SRX240H2 from a reseller on Amazon brand new but i don't have a support/maintenance agreement and tried contacting someone previously.

     

    Seems odd that a security company would ignore security upgrades for core components.  I will definitely take that into consideration when purchasing a replacement once this machine is EOL.



  • 10.  RE: SSL Libraries out of Date SRX240H2

    Posted 06-20-2019 20:40