Low ciphers to backend server

deniska
Participant V

Hi team,


I have 4.19.01 installed (OPDK).

I have a backend with very low TLS and cipher:

TLSv1, and cipher RC4-SHA

Listed here: https://github.com/apigee/trireme/blob/master/core/ssl-ciphers.txt I guess I need to use the Apigee cipher property that equals either: SSL_RSA_WITH_RC4_128_SHA or TLS_RSA_WITH_RC4_128_SHA

When I save the policy, I get an error about not supported cipher, and list of supported ones, however - in the TLS Keystore 'test' screen I can test these ciphers, but cannot assign them to the property of EndPoint route.

Error Saving Revision 2Target default: TLS_RSA_WITH_RC4_128_SHA is not in supported ciphers 

My conf is:

   <HTTPTargetConnection>
    <SSLInfo>
      <Enabled>true</Enabled>
      <ClientAuthEnabled>true</ClientAuthEnabled>
       <Protocols>
           <Protocol>TLSv1.0</Protocol>
       </Protocols>
        <Ciphers>
      <Cipher>TLS_RSA_WITH_RC4_128_SHA</Cipher>    
       </Ciphers>
      <KeyStore>myKeystore</KeyStore>
      <KeyAlias>myKey</KeyAlias>
      <TrustStore>ref://myTrustStoreRef</TrustStore>
    </SSLInfo>
    <URL>https://myservice.com</URL>
   </HTTPTargetConnection>

What is the correct Cipher for me to use to work with customers RC4-SHA?


Denis

0 2 170
2 REPLIES 2

Hi Denis, As I see this issue may have occurred because Apigee Message Processor is implemented in Java, and Java is not supporting TLS_RSA_WITH_RC4_128_SHA cipher suite due to the below security issue since 2015-04-15:

RC4-based TLS ciphersuites (e.g. TLS_RSA_WITH_RC4_128_SHA) are now considered compromised and should no longer be used (see RFC 7465): https://bugs.openjdk.java.net/browse/JDK-8076221

Hi Imesh,

Yes, correct,

however - in this screen I can see similarTLS and can test it, so why in MP level its not supported? (I can't see it in supported list of ciphers in the endpoint configuration)

8362-store.png

Anyway, any chance to implement such thing (without custom java callout)? Maybe other ciphers can support RC4 within?