SRX Services Gateway
Highlighted
SRX Services Gateway

SSL Libraries out of Date SRX240H2

‎06-17-2019 09:51 AM

Hello,

 

Some of my browsers that have restrictions for stronger cipher suites and protocols are unable to connect to the console for the SRX240H2 service gateway.  That leads me to concerns about the SSL/TLS libraries and the version.  Could someone explain to me why  there are weak DH 1024 cipher suites, and no PFS cipher suites?  Are the libraries up to date with the current version of the Junos OS installed 12.3X48-D85?  The self-signed certificate that is issued using a NIST unapproved hashing algorithm currently as well.

 

Supported Server Cipher(s):
Preferred TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384 DHE 1024 bits
Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA256 DHE 1024 bits
Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA DHE 1024 bits
Accepted TLSv1.2 256 bits AES256-GCM-SHA384
Accepted TLSv1.2 256 bits AES256-SHA256
Accepted TLSv1.2 256 bits AES256-SHA
Accepted TLSv1.2 128 bits DHE-RSA-AES128-GCM-SHA256 DHE 1024 bits
Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA256 DHE 1024 bits
Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA DHE 1024 bits
Accepted TLSv1.2 128 bits AES128-GCM-SHA256
Accepted TLSv1.2 128 bits AES128-SHA256
Accepted TLSv1.2 128 bits AES128-SHA

SSL Certificate:
Signature Algorithm: sha1WithRSAEncryption
RSA Key Strength: 2048

 

 

9 REPLIES 9
Highlighted
SRX Services Gateway

Re: SSL Libraries out of Date SRX240H2

‎06-17-2019 10:26 AM

This is supported list in D80 (I don't have D85 anywhere):

 

    Accepted  TLS12  256 bits  DHE-RSA-AES256-GCM-SHA384
    Accepted  TLS12  256 bits  DHE-RSA-AES256-SHA256
    Accepted  TLS12  256 bits  DHE-RSA-AES256-SHA
    Accepted  TLS12  256 bits  AES256-GCM-SHA384
    Accepted  TLS12  256 bits  AES256-SHA256
    Accepted  TLS12  256 bits  AES256-SHA
    Accepted  TLS12  128 bits  DHE-RSA-AES128-GCM-SHA256
    Accepted  TLS12  128 bits  DHE-RSA-AES128-SHA256
    Accepted  TLS12  128 bits  DHE-RSA-AES128-SHA
    Accepted  TLS12  128 bits  AES128-GCM-SHA256
    Accepted  TLS12  128 bits  AES128-SHA256
    Accepted  TLS12  128 bits  AES128-SHA

I'm not sure if editing httpd.conf is possible or supported but default accepted ciphers are below.

<VirtualHost *:443>
  ServerName "xxx"
  DocumentRoot "/html"
  SSLEngine on
  SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:-MEDIUM
  SSLProtocol ALL -SSLV3 -SSLV2 -TLSv1 -TLSv1.1 +TLSv1.2
  SSLCertificateFile "/var/db/certs/system-cert/system-generated.cert"
  SSLCertificateKeyFile "/var/db/certs/system-key-pair/system-generated.priv"
</VirtualHost>

 

Highlighted
SRX Services Gateway

Re: SSL Libraries out of Date SRX240H2

‎06-17-2019 11:20 AM

Thank you for the response.  The question is more about what ssl libraries are in use and what version they are at.  Some of the ciphers in the list are acceptable but could be configured as you have stated in the config... if it is supported.  But my concern is more about what version they are at and what potential security issues may exist as a result of the versioning.

Highlighted
SRX Services Gateway
Solution
Accepted by topic author Himself
‎06-17-2019 01:03 PM

Re: SSL Libraries out of Date SRX240H2

‎06-17-2019 12:11 PM

OpenSSL appears to be at 1.0.2.r, if that helps. I'm not sure how to determine individual library versions.

 

% ssh -V
OpenSSH_6.9, SSH protocols 1.5/2.0, OpenSSL 1.0.2r  26 Feb 2019
SSH release 12.3X48-D80.4 built by builder on 2019-03-28 01:42:20 UTC
Highlighted
SRX Services Gateway

Re: SSL Libraries out of Date SRX240H2

[ Edited ]
‎06-17-2019 12:55 PM

Well at least openSSL is almost current. https://www.openssl.org/ - 

28-May-2019 OpenSSL 1.0.2s is now available, including bug fixes
26-Feb-2019 OpenSSL 1.0.2r is now available, including bug and security fixes

 

But of the SSH libraries:

openSSH 8.X recently became available and 6 major branch has long since been deprecated. Any idea on how to bring that to the right person's attention?  I am not eligible for a support maintaneance agreement because I purchased my SRX SG from a reseller  😞

Highlighted
SRX Services Gateway

Re: SSL Libraries out of Date SRX240H2

‎06-17-2019 07:05 PM

Hello,

 

In the 12.3 release train the focus would be more on the bug fixes in JUNOS. With 18.4 and 19.1 I see we are on version 7 of openSSH.

 

% ssh -V
OpenSSH_7.3, SSH protocols 1.5/2.0, OpenSSL 1.0.2q 20 Nov 2018
SSH release 18.4R20190305_2020_builder built by builder on 2019-03-05 20:24:04 UTC

 

I hope this helps. Regards,

 

Vikas

Highlighted
SRX Services Gateway

Re: SSL Libraries out of Date SRX240H2

‎06-18-2019 08:14 AM

Does that mean because the 12.3 release train is older that there won't be any security updates to the core components like openSSH?

Highlighted
SRX Services Gateway

Re: SSL Libraries out of Date SRX240H2

‎06-18-2019 09:40 PM

Hi,

 

12.3 code is still not end of engineering support. Support for the same will end next year.

 

https://support.juniper.net/support/eol/software/junos/

 

While, the focus in the 12.3 code would be more on the bug fixes related to JUNOS, I doubt if the SSH version would change. But I cannot confirm the same. If you have access to a Juniper Partner / Accounts team, they can get this information for you.

 

I hope this answers your question.

 

Regards,

 

Vikas

Highlighted
SRX Services Gateway

Re: SSL Libraries out of Date SRX240H2

‎06-19-2019 08:11 AM

Yea, I don't have access, as stated above I purchased my SRX240H2 from a reseller on Amazon brand new but i don't have a support/maintenance agreement and tried contacting someone previously.

 

Seems odd that a security company would ignore security upgrades for core components.  I will definitely take that into consideration when purchasing a replacement once this machine is EOL.

Highlighted
SRX Services Gateway

Re: SSL Libraries out of Date SRX240H2

[ Edited ]
‎06-20-2019 08:40 PM
Feedback