Saucepan

User Tools

Site Tools

Trace: dns_exfiltration powershell best_practice migration licencing forwarding firewall_rules dns_servers firewall_rules best_practice
infoblox_nios:certificates

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
infoblox_nios:certificates [2023/06/07 08:49] – [Certificates] bstaffordinfoblox_nios:certificates [2025/05/19 09:56] (current) – [WARNING] bstafford
Line 6: Line 6:
 Infoblox has articles on hardening SSL/TLS and SSH ciphers [[https://community.infoblox.com/t5/Security/Configuring-TLS-1-2-and-ciphersuites-in-NIOS-8-0/m-p/8122#M1488|here]] and [[https://community.infoblox.com/t5/Security/Configuring-SSHD-cipher-suites-in-NIOS-8-x/td-p/10151|here]]. Infoblox has articles on hardening SSL/TLS and SSH ciphers [[https://community.infoblox.com/t5/Security/Configuring-TLS-1-2-and-ciphersuites-in-NIOS-8-0/m-p/8122#M1488|here]] and [[https://community.infoblox.com/t5/Security/Configuring-SSHD-cipher-suites-in-NIOS-8-x/td-p/10151|here]].
  
-The NIOS 8.admin guide page is [[https://docs.infoblox.com/display/nios85/SSL+and+TLS+Protocols|here]]. (it lists the correlation between TLS and SSH ciphers). +The NIOS 9.admin guide page is [[https://docs.infoblox.com/space/nios90/280266998/SSL+and+TLS+Protocols|here]]. 
- +The set command is [[https://docs.infoblox.com/space/nios90/414059185/set+ssl_tls_ciphers|here]].
-The NIOS 9.0 admin guide page is [[https://docs.infoblox.com/space/nios90/155222899/SSL+and+TLS+Protocols|here]].+
  
 For Reporting and Analytics to function properly, ensure that you DO NOT create a SHA-256 4096 SSL key for the HTTPS certificate in your Grid because Java does not support SHA-256 with a 4096 key size. For Reporting and Analytics to function properly, ensure that you DO NOT create a SHA-256 4096 SSL key for the HTTPS certificate in your Grid because Java does not support SHA-256 with a 4096 key size.
 +
 +  * Certificate error when connecting to NIOS GUI. [[https://support.infoblox.com/s/article/1835|KB Article]]
 +  * Creating Self-Signed SSL Certificates [[https://support.infoblox.com/s/article/3082|KB Article]]
 +  * Importing SSL Certificates into NIOS [[https://support.infoblox.com/s/article/3084|KB Article]]
 +
 +===== Terrapin Attack =====
 +[[https://support.infoblox.com/s/article/NIOS-8-6-2-is-vulnerable-to-CVE-2023-48795-Terrapin|KB Article on Terrapin Attack]] and hotfixes
  
 ===== Web UI Certificates ===== ===== Web UI Certificates =====
 You can upload HTTPS certificates in the GUI. Remember to create certificates for the GM and also create certificates for all GMC appliances. You can upload HTTPS certificates in the GUI. Remember to create certificates for the GM and also create certificates for all GMC appliances.
  
 +You can use the ''set apache_https_cert'' command to select one of the previously uploaded HTTPS certificates. [[https://docs.infoblox.com/space/nios90/280659117/set+apache_https_cert|Documentation]].
 +
 +This works at least on NIOS 8.6+.
 ===== List of Needed Ciphers ===== ===== List of Needed Ciphers =====
  
Line 21: Line 30:
   * TLS_DHE_RSA_WITH_AES_128_GCM_SHA256   * TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
  
 +REMEMBER: If you have the reporting server, then as of NIOS 9.0.4 you will need to NOT disable TLS 1.2 because Splunk (which powers the reporting server) doesn't support TLS 1.3 yet.
  
 ===== WARNING ===== ===== WARNING =====
Line 27: Line 37:
   * TLS_RSA_WITH_AES_256_GCM_SHA384   * TLS_RSA_WITH_AES_256_GCM_SHA384
  
-However, I noticed a few days later that I could not access the Reporting tab and just go the following error message.+However, I noticed a few days later that I could not access the Reporting tab (Splunk) and just go the following error message.
 <code>The Reporting App is currently unavailable. <code>The Reporting App is currently unavailable.
 Refresh the status Refresh the status
Line 88: Line 98:
 Show ciphers Show ciphers
 <code>Infoblox > show ssl_tls_ciphers <code>Infoblox > show ssl_tls_ciphers
-  1. TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 enabled  +  1. TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   enabled 
-  2. TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 enabled  +  2. TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   enabled 
-  3. TLS_DHE_RSA_WITH_AES_128_CBC_SHA    enabled  +  3. TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA      enabled 
-  4. TLS_DHE_RSA_WITH_AES_256_CBC_SHA    enabled  +  4. TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA      enabled 
-  5. TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 enabled  +  5. TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256   enabled 
-  6. TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 enabled  +  6. TLS_DHE_RSA_WITH_AES_128_GCM_SHA256     enabled 
-  7. TLS_RSA_WITH_AES_128_GCM_SHA256     enabled  +  7. TLS_DHE_RSA_WITH_AES_256_GCM_SHA384     enabled 
-  8. TLS_RSA_WITH_AES_128_CBC_SHA        enabled  +  8. TLS_DHE_RSA_WITH_AES_128_CBC_SHA        enabled 
-  9. TLS_RSA_WITH_AES_128_CBC_SHA256     enabled  +  9. TLS_DHE_RSA_WITH_AES_256_CBC_SHA        enabled 
- 10. TLS_RSA_WITH_3DES_EDE_CBC_SHA       enabled  + 10. TLS_DHE_RSA_WITH_AES_128_CBC_SHA256     enabled 
- 11. TLS_RSA_WITH_AES_256_GCM_SHA384     enabled  + 11. TLS_DHE_RSA_WITH_AES_256_CBC_SHA256     enabled 
- 12. TLS_RSA_WITH_AES_256_CBC_SHA        enabled  + 12. TLS_RSA_WITH_AES_128_GCM_SHA256         enabled 
- 13. TLS_RSA_WITH_AES_256_CBC_SHA256     enabled  + 13. TLS_RSA_WITH_AES_128_CBC_SHA            enabled 
- 14. TLS_RSA_WITH_RC4_128_SHA            enabled + 14. TLS_RSA_WITH_AES_128_CBC_SHA256         enabled 
-     TLS_DHE_DSS_WITH_AES_256_CBC_SHA    disabled + 15. TLS_RSA_WITH_3DES_EDE_CBC_SHA           enabled 
-     TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA    disabled + 16. TLS_RSA_WITH_AES_256_GCM_SHA384         enabled 
-     TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA    disabled + 17. TLS_RSA_WITH_AES_256_CBC_SHA            enabled 
-     TLS_DHE_DSS_WITH_AES_128_CBC_SHA    disabled + 18. TLS_RSA_WITH_AES_256_CBC_SHA256         enabled 
-     TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 disabled + 19. TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 enabled 
-     TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 disabled + 20. TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 enabled 
-     TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 disabled + 21. TLS_AES_256_GCM_SHA384                  enabled 
-     TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 disabled</code> + 22. TLS_CHACHA20_POLY1305_SHA256            enabled 
-Say you want to disable RC4. It is item #14 so you disable #14 + 23. TLS_AES_128_GCM_SHA256                  enabled 
-<code>set ssl_tls_ciphers disable 14</code>+ 24. TLS_AES_128_CCM_8_SHA256                enabled 
 + 25. TLS_AES_128_CCM_SHA256                  enabled 
 +     TLS_DHE_DSS_WITH_AES_256_CBC_SHA        disabled 
 +     TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA        disabled 
 +     TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA        disabled 
 +     TLS_DHE_DSS_WITH_AES_128_CBC_SHA        disabled 
 +     TLS_RSA_WITH_RC4_128_SHA                disabled 
 +     TLS_DHE_DSS_WITH_AES_256_GCM_SHA384     disabled 
 +     TLS_DHE_DSS_WITH_AES_256_CBC_SHA256     disabled 
 +     TLS_DHE_DSS_WITH_AES_128_GCM_SHA256     disabled 
 +     TLS_DHE_DSS_WITH_AES_128_CBC_SHA256     disabled</code> 
 +Say you want to disable RC4. It is item #25 so you disable #25 
 +<code>set ssl_tls_ciphers disable 25</code>
 <code>Infoblox > show ssl_tls_ciphers <code>Infoblox > show ssl_tls_ciphers
-  1. TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 enabled +  1. TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   enabled 
-  2. TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 enabled +  2. TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   enabled 
-  3. TLS_DHE_RSA_WITH_AES_128_CBC_SHA    enabled +  3. TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA      enabled 
-  4. TLS_DHE_RSA_WITH_AES_256_CBC_SHA    enabled +  4. TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA      enabled 
-  5. TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 enabled +  5. TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256   enabled 
-  6. TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 enabled +  6. TLS_DHE_RSA_WITH_AES_128_GCM_SHA256     enabled 
-  7. TLS_RSA_WITH_AES_128_GCM_SHA256     enabled +  7. TLS_DHE_RSA_WITH_AES_256_GCM_SHA384     enabled 
-  8. TLS_RSA_WITH_AES_128_CBC_SHA        enabled +  8. TLS_DHE_RSA_WITH_AES_128_CBC_SHA        enabled 
-  9. TLS_RSA_WITH_AES_128_CBC_SHA256     enabled +  9. TLS_DHE_RSA_WITH_AES_256_CBC_SHA        enabled 
- 10. TLS_RSA_WITH_3DES_EDE_CBC_SHA       enabled + 10. TLS_DHE_RSA_WITH_AES_128_CBC_SHA256     enabled 
- 11. TLS_RSA_WITH_AES_256_GCM_SHA384     enabled + 11. TLS_DHE_RSA_WITH_AES_256_CBC_SHA256     enabled 
- 12. TLS_RSA_WITH_AES_256_CBC_SHA        enabled + 12. TLS_RSA_WITH_AES_128_GCM_SHA256         enabled 
- 13. TLS_RSA_WITH_AES_256_CBC_SHA256     enabled + 13. TLS_RSA_WITH_AES_128_CBC_SHA            enabled 
-     TLS_DHE_DSS_WITH_AES_256_CBC_SHA    disabled + 14. TLS_RSA_WITH_AES_128_CBC_SHA256         enabled 
-     TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA    disabled + 15. TLS_RSA_WITH_3DES_EDE_CBC_SHA           enabled 
-     TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA    disabled + 16. TLS_RSA_WITH_AES_256_GCM_SHA384         enabled 
-     TLS_DHE_DSS_WITH_AES_128_CBC_SHA    disabled + 17. TLS_RSA_WITH_AES_256_CBC_SHA            enabled 
-     TLS_RSA_WITH_RC4_128_SHA            disabled + 18. TLS_RSA_WITH_AES_256_CBC_SHA256         enabled 
-     TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 disabled + 19. TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 enabled 
-     TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 disabled + 20. TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 enabled 
-     TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 disabled + 21. TLS_AES_256_GCM_SHA384                  enabled 
-     TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 disabled</code>+ 22. TLS_CHACHA20_POLY1305_SHA256            enabled 
 + 23. TLS_AES_128_GCM_SHA256                  enabled 
 + 24. TLS_AES_128_CCM_8_SHA256                enabled 
 +     TLS_AES_128_CCM_SHA256                  enabled 
 +     TLS_DHE_DSS_WITH_AES_256_CBC_SHA        disabled 
 +     TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA        disabled 
 +     TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA        disabled 
 +     TLS_DHE_DSS_WITH_AES_128_CBC_SHA        disabled 
 +     TLS_RSA_WITH_RC4_128_SHA                disabled 
 +     TLS_DHE_DSS_WITH_AES_256_GCM_SHA384     disabled 
 +     TLS_DHE_DSS_WITH_AES_256_CBC_SHA256     disabled 
 +     TLS_DHE_DSS_WITH_AES_128_GCM_SHA256     disabled 
 +     TLS_DHE_DSS_WITH_AES_128_CBC_SHA256     disabled</code>
 Now suppose that for some reason you needed to re-enable the use of RC4. You could do this as follows: Now suppose that for some reason you needed to re-enable the use of RC4. You could do this as follows:
 <code>Infoblox > set ssl_tls_settings override <code>Infoblox > set ssl_tls_settings override
Line 141: Line 175:
 TLS_RSA_WITH_RC4_128_SHA was enabled TLS_RSA_WITH_RC4_128_SHA was enabled
 The following services need to be restarted manually: GUI</code> The following services need to be restarted manually: GUI</code>
 +
 +The following is from NIOS 9.0.4 which introduced five TLS 1.3 ciphers
 <code>Infoblox > show ssl_tls_ciphers <code>Infoblox > show ssl_tls_ciphers
-  1. TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 enabled  +  1. TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   enabled 
-  2. TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 enabled  +  2. TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   enabled 
-  3. TLS_DHE_RSA_WITH_AES_128_CBC_SHA    enabled  +  3. TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA      enabled 
-  4. TLS_DHE_RSA_WITH_AES_256_CBC_SHA    enabled  +  4. TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA      enabled 
-  5. TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 enabled  +  5. TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256   enabled 
-  6. TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 enabled  +  6. TLS_DHE_RSA_WITH_AES_128_GCM_SHA256     enabled 
-  7. TLS_RSA_WITH_AES_128_GCM_SHA256     enabled  +  7. TLS_DHE_RSA_WITH_AES_256_GCM_SHA384     enabled 
-  8. TLS_RSA_WITH_AES_128_CBC_SHA        enabled  +  8. TLS_DHE_RSA_WITH_AES_128_CBC_SHA        enabled 
-  9. TLS_RSA_WITH_AES_128_CBC_SHA256     enabled  +  9. TLS_DHE_RSA_WITH_AES_256_CBC_SHA        enabled 
- 10. TLS_RSA_WITH_3DES_EDE_CBC_SHA       enabled  + 10. TLS_DHE_RSA_WITH_AES_128_CBC_SHA256     enabled 
- 11. TLS_RSA_WITH_AES_256_GCM_SHA384     enabled  + 11. TLS_DHE_RSA_WITH_AES_256_CBC_SHA256     enabled 
- 12. TLS_RSA_WITH_AES_256_CBC_SHA        enabled  + 12. TLS_RSA_WITH_AES_128_GCM_SHA256         enabled 
- 13. TLS_RSA_WITH_AES_256_CBC_SHA256     enabled  + 13. TLS_RSA_WITH_AES_128_CBC_SHA            enabled 
- 14. TLS_RSA_WITH_RC4_128_SHA            enabled + 14. TLS_RSA_WITH_AES_128_CBC_SHA256         enabled 
-     TLS_DHE_DSS_WITH_AES_256_CBC_SHA    disabled + 15. TLS_RSA_WITH_3DES_EDE_CBC_SHA           enabled 
-     TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA    disabled + 16. TLS_RSA_WITH_AES_256_GCM_SHA384         enabled 
-     TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA    disabled + 17. TLS_RSA_WITH_AES_256_CBC_SHA            enabled 
-     TLS_DHE_DSS_WITH_AES_128_CBC_SHA    disabled + 18. TLS_RSA_WITH_AES_256_CBC_SHA256         enabled 
-     TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 disabled + 19. TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 enabled 
-     TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 disabled + 20. TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 enabled 
-     TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 disabled + 21. TLS_AES_256_GCM_SHA384                  enabled 
-     TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 disabled</code>+ 22. TLS_CHACHA20_POLY1305_SHA256            enabled 
 + 23. TLS_AES_128_GCM_SHA256                  enabled 
 + 24. TLS_AES_128_CCM_8_SHA256                enabled 
 + 25. TLS_AES_128_CCM_SHA256                  enabled 
 +     TLS_DHE_DSS_WITH_AES_256_CBC_SHA        disabled 
 +     TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA        disabled 
 +     TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA        disabled 
 +     TLS_DHE_DSS_WITH_AES_128_CBC_SHA        disabled 
 +     TLS_RSA_WITH_RC4_128_SHA                disabled 
 +     TLS_DHE_DSS_WITH_AES_256_GCM_SHA384     disabled 
 +     TLS_DHE_DSS_WITH_AES_256_CBC_SHA256     disabled 
 +     TLS_DHE_DSS_WITH_AES_128_GCM_SHA256     disabled 
 +     TLS_DHE_DSS_WITH_AES_128_CBC_SHA256     disabled</code>
  
infoblox_nios/certificates.1686127782.txt.gz · Last modified: by bstafford