This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Google Cloud
- Articles & Information
- Cloud Product Articles
- Empirical Analysis of Valid Values for VirtualHost...
Topic Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
LinkedIn
Twitter
kurtkanaskie
Staff
Topic Options
- Article History
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
1
0
2,081
Problem Statement
Apigee is retiring TLS 1.0 and TLS 1.1 protocols on June 18th, 2018.
https://docs.apigee.com/release/notes/tls-retirement
Documentation for Virtual Host “ssl_ciphers” property does not provide a definitive list of valid values, it merely states valid openssl values can be used from the openssl man page.
https://docs.apigee.com/api-platform/fundamentals/virtual-host-property-reference
https://www.openssl.org/docs/man1.0.2/apps/ciphers.html
Use Case
As a Cloud Edge Orgadmin, I need to know the valid SSL cipher values to configure Virtual Hosts to use TLS 1.2 values so I can test my Apps before the TLS retirement on June 18th.
TL;DR
Based on empirical analysis, the valid individual values (one value in ssl_ciphers property) in a paid org deployed in Amazon us-east-1 and eu-west-1 using curl as the test client are:
AES128-GCM-SHA256 AES128-SHA256 AES256-GCM-SHA384 AES256-SHA256 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384
NOTE: See very end of this document for Virtual Host management API call using these values.
Tests
- Tests via curl --tlsv1.0, --tlsv1.1 - failed
- Tests via curl --tlsv1 (used TLS 1.2) and --tlsv1.2 - worked
Observations
- Some “valid” values were rejected by the management API as invalid.
- Some “valid” values where accepted by the management API but curl commands for 1.2 failed.
- Invalid values are accepted by the management API as long as one valid value was present (e.g. “foo:AES128-GCM-SHA256”).
Details
Test Setup
Org: paid org
Env: test
Deployment - Public Cloud - Amazon us-east-1 and eu-west-1
Procedure:
Configure Virtual Host with all possible values both as aggregate values and as single value.
Run curl with --tlsv1.0, --tlsv1.1 and tlsv1.2
Background
OpenSSL command strings
The following command can be used to get the list of ciphers suite names:
openssl ciphers -v -tls1 | grep TLSv1.2 | sort | cut -d ' ' -f1 AES128-GCM-SHA256 AES128-SHA256 AES256-GCM-SHA384 AES256-SHA256 <omitted for brevity - see test result for complete list>
Man page values
In addition, the “cipher strings” (e.g. HIGH) and the cipher suite values from the “TLS v1.2 cipher suites” section (right hand column) can be used from the openssl man page here:
https://www.openssl.org/docs/man1.0.2/apps/ciphers.html
ADH-AES128-GCM-SHA256 ADH-AES128-SHA256 ADH-AES256-GCM-SHA384 ADH-AES256-SHA256 <omitted for brevity - see test result for complete list>
NOTE: there are differences in each list.
Testing
Given the “valid” values from above, each unique value was used to set a single value for the "ssl_cipher" property.
These curl commands will work:
curl -v --tlsv1.2 {PROXY-URL}
curl -v --tlsv1 {PROXY-URL} - uses 1.2
And these will fail:
curl -v --tlsv1.0 {PROXY-URL}
curl -v --tlsv1.1 {PROXY-URL}
curl: (35) error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
Virtual Host setup using single values
curl -X PUT \ https://api.enterprise.apigee.com/v1/organizations/{{ORG}}/environments/{{ENV}}/virtualhosts/secure \ ... "properties": { "property": [ { "name": "ssl_ciphers", "value": "NULL-SHA256" } ] }, ... }'
Test Results
AES128-GCM-SHA256 AES128-SHA256 AES256-GCM-SHA384 AES256-SHA256 CAMELLIA128-SHA256 - Not accepted CAMELLIA256-SHA256 - Not accepted DHE-DSS-AES128-GCM-SHA256 - Accepted but doesnt work DHE-DSS-AES128-SHA256 - Accepted but doesnt work DHE-DSS-AES256-GCM-SHA384 - Accepted but doesnt work DHE-DSS-AES256-SHA256 - Accepted but doesnt work DHE-DSS-CAMELLIA128-SHA256 - Not accepted DHE-DSS-CAMELLIA256-SHA256 - Not accepted DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-RSA-CAMELLIA128-SHA256 - Not accepted DHE-RSA-CAMELLIA256-SHA256 - Not accepted DHE-RSA-CHACHA20-POLY1305 - Not accepted ECDH-ECDSA-AES128-GCM-SHA256 - Accepted but doesnt work ECDH-ECDSA-AES128-SHA256 - Accepted but doesnt work ECDH-ECDSA-AES256-GCM-SHA384 - Accepted but doesnt work ECDH-ECDSA-AES256-SHA384 - Accepted but doesnt work, hangs curl ECDH-RSA-AES128-GCM-SHA256 - Accepted but doesnt work ECDH-RSA-AES128-SHA256 - Not accepted ECDH-RSA-AES256-GCM-SHA384 - Accepted but doesnt work ECDH-RSA-AES256-SHA384 - Accepted but doesnt work ECDHE-ECDSA-AES128-GCM-SHA256 - Accepted but doesnt work ECDHE-ECDSA-AES128-SHA256 - Accepted but doesnt work ECDHE-ECDSA-AES256-GCM-SHA384 - Accepted but doesnt work ECDHE-ECDSA-AES256-SHA384 - Accepted but doesnt work ECDHE-ECDSA-CHACHA20-POLY1305 - Not accepted ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-CHACHA20-POLY1305 - Not accepted Additional values from man page section DH-AES128-GCM-SHA256 - Accepted but doesnt work ADH-AES128-SHA256 - Accepted but doesnt work ADH-AES256-GCM-SHA384 - Accepted but doesnt work ADH-AES256-SHA256 - Accepted but doesnt work DH-DSS-AES128-GCM-SHA256 - Accepted but doesnt work DH-DSS-AES128-SHA256 - Accepted but doesnt work DH-DSS-AES256-GCM-SHA384 - Accepted but doesnt work DH-DSS-AES256-SHA256 - Accepted but doesnt work DH-RSA-AES128-GCM-SHA256 - Accepted but doesnt work DH-RSA-AES128-SHA256 - Accepted but doesnt work DH-RSA-AES256-GCM-SHA384 - Accepted but doesnt work DH-RSA-AES256-SHA256 - Accepted but doesnt work NULL-SHA256 - Accepted but doesnt work
Virtual Host setup for all valid values
curl -X PUT \ https://api.enterprise.apigee.com/v1/organizations/{{ORG}}/environments/{{ENV}}/virtualhosts/secure \ -H 'accept: application/json' \ -H 'authorization: Basic ******' \ -H 'content-type: application/json' \ -d '{ "hostAliases": [ "{{ORG}}-{{ENV}}.apigee.net" ], "interfaces": [], "listenOptions": [], "name": "secure", "port": "443", "properties": { "property": [ { "name": "ssl_ciphers", "value": "AES128-GCM-SHA256:AES128-SHA256:AES256-GCM-SHA384:AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384" } ] }, "retryOptions": [], "sSLInfo": { "ciphers": [], "clientAuthEnabled": "false", "enabled": "true", "ignoreValidationErrors": false, "keyAlias": "freetrial", "keyStore": "ref://freetrialref", "protocols": [] } }'
end.
Topic Labels