Some of my browsers that have restrictions for stronger cipher suites and protocols are unable to connect to the console for the SRX240H2 service gateway. That leads me to concerns about the SSL/TLS libraries and the version. Could someone explain to me why there are weak DH 1024 cipher suites, and no PFS cipher suites? Are the libraries up to date with the current version of the Junos OS installed 12.3X48-D85? The self-signed certificate that is issued using a NIST unapproved hashing algorithm currently as well.
Supported Server Cipher(s):Preferred TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384 DHE 1024 bitsAccepted TLSv1.2 256 bits DHE-RSA-AES256-SHA256 DHE 1024 bitsAccepted TLSv1.2 256 bits DHE-RSA-AES256-SHA DHE 1024 bitsAccepted TLSv1.2 256 bits AES256-GCM-SHA384Accepted TLSv1.2 256 bits AES256-SHA256Accepted TLSv1.2 256 bits AES256-SHAAccepted TLSv1.2 128 bits DHE-RSA-AES128-GCM-SHA256 DHE 1024 bitsAccepted TLSv1.2 128 bits DHE-RSA-AES128-SHA256 DHE 1024 bitsAccepted TLSv1.2 128 bits DHE-RSA-AES128-SHA DHE 1024 bitsAccepted TLSv1.2 128 bits AES128-GCM-SHA256Accepted TLSv1.2 128 bits AES128-SHA256Accepted TLSv1.2 128 bits AES128-SHA
SSL Certificate:Signature Algorithm: sha1WithRSAEncryptionRSA Key Strength: 2048
This is supported list in D80 (I don't have D85 anywhere):
Accepted TLS12 256 bits DHE-RSA-AES256-GCM-SHA384
Accepted TLS12 256 bits DHE-RSA-AES256-SHA256
Accepted TLS12 256 bits DHE-RSA-AES256-SHA
Accepted TLS12 256 bits AES256-GCM-SHA384
Accepted TLS12 256 bits AES256-SHA256
Accepted TLS12 256 bits AES256-SHA
Accepted TLS12 128 bits DHE-RSA-AES128-GCM-SHA256
Accepted TLS12 128 bits DHE-RSA-AES128-SHA256
Accepted TLS12 128 bits DHE-RSA-AES128-SHA
Accepted TLS12 128 bits AES128-GCM-SHA256
Accepted TLS12 128 bits AES128-SHA256
Accepted TLS12 128 bits AES128-SHA
I'm not sure if editing httpd.conf is possible or supported but default accepted ciphers are below.
SSLProtocol ALL -SSLV3 -SSLV2 -TLSv1 -TLSv1.1 +TLSv1.2
Thank you for the response. The question is more about what ssl libraries are in use and what version they are at. Some of the ciphers in the list are acceptable but could be configured as you have stated in the config... if it is supported. But my concern is more about what version they are at and what potential security issues may exist as a result of the versioning.
OpenSSL appears to be at 1.0.2.r, if that helps. I'm not sure how to determine individual library versions.
% ssh -V
OpenSSH_6.9, SSH protocols 1.5/2.0, OpenSSL 1.0.2r 26 Feb 2019
SSH release 12.3X48-D80.4 built by builder on 2019-03-28 01:42:20 UTC
Well at least openSSL is almost current. https://www.openssl.org/ -
But of the SSH libraries:
openSSH 8.X recently became available and 6 major branch has long since been deprecated. Any idea on how to bring that to the right person's attention? I am not eligible for a support maintaneance agreement because I purchased my SRX SG from a reseller 😞
In the 12.3 release train the focus would be more on the bug fixes in JUNOS. With 18.4 and 19.1 I see we are on version 7 of openSSH.
% ssh -VOpenSSH_7.3, SSH protocols 1.5/2.0, OpenSSL 1.0.2q 20 Nov 2018SSH release 18.4R20190305_2020_builder built by builder on 2019-03-05 20:24:04 UTC
I hope this helps. Regards,
Does that mean because the 12.3 release train is older that there won't be any security updates to the core components like openSSH?
12.3 code is still not end of engineering support. Support for the same will end next year.
While, the focus in the 12.3 code would be more on the bug fixes related to JUNOS, I doubt if the SSH version would change. But I cannot confirm the same. If you have access to a Juniper Partner / Accounts team, they can get this information for you.
I hope this answers your question.
Yea, I don't have access, as stated above I purchased my SRX240H2 from a reseller on Amazon brand new but i don't have a support/maintenance agreement and tried contacting someone previously.
Seems odd that a security company would ignore security upgrades for core components. I will definitely take that into consideration when purchasing a replacement once this machine is EOL.
These KB resources on SIRT's published policies may help clears things up: