====== Certificates ======
Infoblox allows administrators to select which TLS and SSH ciphers are used by the Infoblox Grid.
SSH ciphers cannot be changed directly but will be linked to the TLS ciphers enabled.
Infoblox has articles on hardening SSL/TLS and SSH ciphers [[https://community.infoblox.com/t5/Security/Configuring-TLS-1-2-and-ciphersuites-in-NIOS-8-0/m-p/8122#M1488|here]] and [[https://community.infoblox.com/t5/Security/Configuring-SSHD-cipher-suites-in-NIOS-8-x/td-p/10151|here]].
The NIOS 9.0 admin guide page is [[https://docs.infoblox.com/space/nios90/280266998/SSL+and+TLS+Protocols|here]].
The set command is [[https://docs.infoblox.com/space/nios90/414059185/set+ssl_tls_ciphers|here]].
For Reporting and Analytics to function properly, ensure that you DO NOT create a SHA-256 4096 SSL key for the HTTPS certificate in your Grid because Java does not support SHA-256 with a 4096 key size.
* Certificate error when connecting to NIOS GUI. [[https://support.infoblox.com/s/article/1835|KB Article]]
* Creating Self-Signed SSL Certificates [[https://support.infoblox.com/s/article/3082|KB Article]]
* Importing SSL Certificates into NIOS [[https://support.infoblox.com/s/article/3084|KB Article]]
===== Terrapin Attack =====
[[https://support.infoblox.com/s/article/NIOS-8-6-2-is-vulnerable-to-CVE-2023-48795-Terrapin|KB Article on Terrapin Attack]] and hotfixes
===== Web UI Certificates =====
You can upload HTTPS certificates in the GUI. Remember to create certificates for the GM and also create certificates for all GMC appliances.
You can use the ''set apache_https_cert'' command to select one of the previously uploaded HTTPS certificates. [[https://docs.infoblox.com/space/nios90/280659117/set+apache_https_cert|Documentation]].
This works at least on NIOS 8.6+.
===== List of Needed Ciphers =====
* TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
* TLS_RSA_WITH_AES_256_GCM_SHA384
* TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
REMEMBER: If you have the reporting server, then as of NIOS 9.0.4 you will need to NOT disable TLS 1.2 because Splunk (which powers the reporting server) doesn't support TLS 1.3 yet.
===== WARNING =====
I removed all ciphers on my Grid except for the following:
* TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
* TLS_RSA_WITH_AES_256_GCM_SHA384
However, I noticed a few days later that I could not access the Reporting tab (Splunk) and just go the following error message.
The Reporting App is currently unavailable.
Refresh the status
Go to Reporting Service
To fix this, I had to enable ''TLS_DHE_RSA_WITH_AES_128_GCM_SHA256''. Once that was enabled, I could access the Reporting server again.
set ssl_tls_ciphers enable TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
===== Override Settings =====
Review whether you are using default config or override config with the command
show ssl_tls_settings
Set the Infoblox to use custom settings with
set ssl_tls_settings override
Set the Infoblox to use the default settings with
set ssl_tls_settings default
===== Protocol Settings =====
Show what versions of TLS are being used
show ssl_tls_protocols
Disabled TLSv1.0 (remember, you need to set the Infoblox to Override mode first as shown in the previous section).
set ssl_tls_protocols disable TLSv1.0
Disabled TLSv1.1 (remember, you need to set the Infoblox to Override mode first as shown in the previous section).
set ssl_tls_protocols disable TLSv1.1
===== Cipher Settings =====
Show what ciphers are being used
show ssl_tls_ciphers
Disable a specific cipher, note down its number from the ''show'' command and use it as follows
set ssl_tls_ciphers disable 10
Enable a specific cipher, you have to use its name
set ssl_tls_ciphers enable TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
===== Cipher Name Mappings =====
The ciphersuite names are those used in the RFC documents for TLS. A number of documents on the web instead reference the ciphersuite names used by OpenSSL. Here's a list of how the RFC names map to the OpenSSL names:
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 DHE-RSA-AES128-GCM-SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 DHE-RSA-AES256-GCM-SHA384
TLS_DHE_RSA_WITH_AES_128_CBC_SHA DHE-RSA-AES128-SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA DHE-RSA-AES256-SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 DHE-RSA-AES128-SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 DHE-RSA-AES256-SHA256
TLS_RSA_WITH_AES_128_GCM_SHA256 AES128-GCM-SHA256
TLS_RSA_WITH_AES_128_CBC_SHA AES128-SHA
TLS_RSA_WITH_AES_128_CBC_SHA256 AES128-SHA256
TLS_RSA_WITH_3DES_EDE_CBC_SHA DES-CBC3-SHA
TLS_RSA_WITH_AES_256_GCM_SHA384 AES256-GCM-SHA384
TLS_RSA_WITH_AES_256_CBC_SHA AES256-SHA
TLS_RSA_WITH_AES_256_CBC_SHA256 AES256-SHA256
TLS_DHE_DSS_WITH_AES_256_CBC_SHA DHE-DSS-AES256-SHA
TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA DH-RSA-DES-CBC3-SHA
TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA DH-DSS-DES-CBC3-SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA DHE-DSS-AES128-SHA
TLS_RSA_WITH_RC4_128_SHA RC4-SHA
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 DHE-DSS-AES256-GCM-SHA384
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 DHE-DSS-AES256-SHA256
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 DHE-DSS-AES128-GCM-SHA256
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 DHE-DSS-AES128-SHA256
===== Example Cipher Setting =====
Show ciphers
Infoblox > show ssl_tls_ciphers
1. TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 enabled
2. TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 enabled
3. TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA enabled
4. TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA enabled
5. TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 enabled
6. TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 enabled
7. TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 enabled
8. TLS_DHE_RSA_WITH_AES_128_CBC_SHA enabled
9. TLS_DHE_RSA_WITH_AES_256_CBC_SHA enabled
10. TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 enabled
11. TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 enabled
12. TLS_RSA_WITH_AES_128_GCM_SHA256 enabled
13. TLS_RSA_WITH_AES_128_CBC_SHA enabled
14. TLS_RSA_WITH_AES_128_CBC_SHA256 enabled
15. TLS_RSA_WITH_3DES_EDE_CBC_SHA enabled
16. TLS_RSA_WITH_AES_256_GCM_SHA384 enabled
17. TLS_RSA_WITH_AES_256_CBC_SHA enabled
18. TLS_RSA_WITH_AES_256_CBC_SHA256 enabled
19. TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 enabled
20. TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 enabled
21. TLS_AES_256_GCM_SHA384 enabled
22. TLS_CHACHA20_POLY1305_SHA256 enabled
23. TLS_AES_128_GCM_SHA256 enabled
24. TLS_AES_128_CCM_8_SHA256 enabled
25. TLS_AES_128_CCM_SHA256 enabled
TLS_DHE_DSS_WITH_AES_256_CBC_SHA disabled
TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA disabled
TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA disabled
TLS_DHE_DSS_WITH_AES_128_CBC_SHA disabled
TLS_RSA_WITH_RC4_128_SHA disabled
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 disabled
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 disabled
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 disabled
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 disabled
Say you want to disable RC4. It is item #25 so you disable #25
set ssl_tls_ciphers disable 25
Infoblox > show ssl_tls_ciphers
1. TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 enabled
2. TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 enabled
3. TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA enabled
4. TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA enabled
5. TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 enabled
6. TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 enabled
7. TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 enabled
8. TLS_DHE_RSA_WITH_AES_128_CBC_SHA enabled
9. TLS_DHE_RSA_WITH_AES_256_CBC_SHA enabled
10. TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 enabled
11. TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 enabled
12. TLS_RSA_WITH_AES_128_GCM_SHA256 enabled
13. TLS_RSA_WITH_AES_128_CBC_SHA enabled
14. TLS_RSA_WITH_AES_128_CBC_SHA256 enabled
15. TLS_RSA_WITH_3DES_EDE_CBC_SHA enabled
16. TLS_RSA_WITH_AES_256_GCM_SHA384 enabled
17. TLS_RSA_WITH_AES_256_CBC_SHA enabled
18. TLS_RSA_WITH_AES_256_CBC_SHA256 enabled
19. TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 enabled
20. TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 enabled
21. TLS_AES_256_GCM_SHA384 enabled
22. TLS_CHACHA20_POLY1305_SHA256 enabled
23. TLS_AES_128_GCM_SHA256 enabled
24. TLS_AES_128_CCM_8_SHA256 enabled
TLS_AES_128_CCM_SHA256 enabled
TLS_DHE_DSS_WITH_AES_256_CBC_SHA disabled
TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA disabled
TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA disabled
TLS_DHE_DSS_WITH_AES_128_CBC_SHA disabled
TLS_RSA_WITH_RC4_128_SHA disabled
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 disabled
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 disabled
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 disabled
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 disabled
Now suppose that for some reason you needed to re-enable the use of RC4. You could do this as follows:
Infoblox > set ssl_tls_settings override
The following services need to be restarted manually: GUI
Infoblox > set ssl_tls_ciphers enable TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_SHA was enabled
The following services need to be restarted manually: GUI
The following is from NIOS 9.0.4 which introduced five TLS 1.3 ciphers
Infoblox > show ssl_tls_ciphers
1. TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 enabled
2. TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 enabled
3. TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA enabled
4. TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA enabled
5. TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 enabled
6. TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 enabled
7. TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 enabled
8. TLS_DHE_RSA_WITH_AES_128_CBC_SHA enabled
9. TLS_DHE_RSA_WITH_AES_256_CBC_SHA enabled
10. TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 enabled
11. TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 enabled
12. TLS_RSA_WITH_AES_128_GCM_SHA256 enabled
13. TLS_RSA_WITH_AES_128_CBC_SHA enabled
14. TLS_RSA_WITH_AES_128_CBC_SHA256 enabled
15. TLS_RSA_WITH_3DES_EDE_CBC_SHA enabled
16. TLS_RSA_WITH_AES_256_GCM_SHA384 enabled
17. TLS_RSA_WITH_AES_256_CBC_SHA enabled
18. TLS_RSA_WITH_AES_256_CBC_SHA256 enabled
19. TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 enabled
20. TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 enabled
21. TLS_AES_256_GCM_SHA384 enabled
22. TLS_CHACHA20_POLY1305_SHA256 enabled
23. TLS_AES_128_GCM_SHA256 enabled
24. TLS_AES_128_CCM_8_SHA256 enabled
25. TLS_AES_128_CCM_SHA256 enabled
TLS_DHE_DSS_WITH_AES_256_CBC_SHA disabled
TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA disabled
TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA disabled
TLS_DHE_DSS_WITH_AES_128_CBC_SHA disabled
TLS_RSA_WITH_RC4_128_SHA disabled
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 disabled
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 disabled
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 disabled
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 disabled