Infoblox allows administrators to select which TLS and SSH ciphers are used by the Infoblox Grid.

SSH ciphers cannot be changed directly but will be linked to the TLS ciphers enabled.

Infoblox has articles on hardening SSL/TLS and SSH ciphers here and here.

The NIOS 8.5 admin guide page is here. (it lists the correlation between TLS and SSH ciphers).

The NIOS 9.0 admin guide page is here.

For Reporting and Analytics to function properly, ensure that you DO NOT create a SHA-256 4096 SSL key for the HTTPS certificate in your Grid because Java does not support SHA-256 with a 4096 key size.

You can upload HTTPS certificates in the GUI. Remember to create certificates for the GM and also create certificates for all GMC appliances.

• TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
• TLS_RSA_WITH_AES_256_GCM_SHA384
• TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

I removed all ciphers on my Grid except for the following:

• TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
• TLS_RSA_WITH_AES_256_GCM_SHA384

However, I noticed a few days later that I could not access the Reporting tab and just go the following error message.

The Reporting App is currently unavailable.
Refresh the status
Go to Reporting Service

To fix this, I had to enable TLS_DHE_RSA_WITH_AES_128_GCM_SHA256. Once that was enabled, I could access the Reporting server again.

set ssl_tls_ciphers enable TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

Review whether you are using default config or override config with the command

show ssl_tls_settings

Set the Infoblox to use custom settings with

set ssl_tls_settings override

Set the Infoblox to use the default settings with

set ssl_tls_settings default

Show what versions of TLS are being used

show ssl_tls_protocols

Disabled TLSv1.0 (remember, you need to set the Infoblox to Override mode first as shown in the previous section).

set ssl_tls_protocols disable TLSv1.0

Disabled TLSv1.1 (remember, you need to set the Infoblox to Override mode first as shown in the previous section).

set ssl_tls_protocols disable TLSv1.1

Show what ciphers are being used

show ssl_tls_ciphers

Disable a specific cipher, note down its number from the show command and use it as follows

set ssl_tls_ciphers disable 10

Enable a specific cipher, you have to use its name

set ssl_tls_ciphers enable TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

The ciphersuite names are those used in the RFC documents for TLS. A number of documents on the web instead reference the ciphersuite names used by OpenSSL. Here's a list of how the RFC names map to the OpenSSL names:

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256     DHE-RSA-AES128-GCM-SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384     DHE-RSA-AES256-GCM-SHA384
TLS_DHE_RSA_WITH_AES_128_CBC_SHA            DHE-RSA-AES128-SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA            DHE-RSA-AES256-SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256      DHE-RSA-AES128-SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256      DHE-RSA-AES256-SHA256
TLS_RSA_WITH_AES_128_GCM_SHA256               AES128-GCM-SHA256
TLS_RSA_WITH_AES_128_CBC_SHA                      AES128-SHA
TLS_RSA_WITH_AES_128_CBC_SHA256                AES128-SHA256
TLS_RSA_WITH_3DES_EDE_CBC_SHA                  DES-CBC3-SHA
TLS_RSA_WITH_AES_256_GCM_SHA384               AES256-GCM-SHA384
TLS_RSA_WITH_AES_256_CBC_SHA                      AES256-SHA
TLS_RSA_WITH_AES_256_CBC_SHA256                AES256-SHA256
TLS_DHE_DSS_WITH_AES_256_CBC_SHA            DHE-DSS-AES256-SHA
TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA           DH-RSA-DES-CBC3-SHA
TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA           DH-DSS-DES-CBC3-SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA            DHE-DSS-AES128-SHA
TLS_RSA_WITH_RC4_128_SHA                               RC4-SHA
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384     DHE-DSS-AES256-GCM-SHA384
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256      DHE-DSS-AES256-SHA256
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256     DHE-DSS-AES128-GCM-SHA256
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256      DHE-DSS-AES128-SHA256

Show ciphers

Infoblox > show ssl_tls_ciphers
  1. TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 enabled 
  2. TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 enabled 
  3. TLS_DHE_RSA_WITH_AES_128_CBC_SHA    enabled 
  4. TLS_DHE_RSA_WITH_AES_256_CBC_SHA    enabled 
  5. TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 enabled 
  6. TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 enabled 
  7. TLS_RSA_WITH_AES_128_GCM_SHA256     enabled 
  8. TLS_RSA_WITH_AES_128_CBC_SHA        enabled 
  9. TLS_RSA_WITH_AES_128_CBC_SHA256     enabled 
 10. TLS_RSA_WITH_3DES_EDE_CBC_SHA       enabled 
 11. TLS_RSA_WITH_AES_256_GCM_SHA384     enabled 
 12. TLS_RSA_WITH_AES_256_CBC_SHA        enabled 
 13. TLS_RSA_WITH_AES_256_CBC_SHA256     enabled 
 14. TLS_RSA_WITH_RC4_128_SHA            enabled
     TLS_DHE_DSS_WITH_AES_256_CBC_SHA    disabled
     TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA    disabled
     TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA    disabled
     TLS_DHE_DSS_WITH_AES_128_CBC_SHA    disabled
     TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 disabled
     TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 disabled
     TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 disabled
     TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 disabled

Say you want to disable RC4. It is item #14 so you disable #14

set ssl_tls_ciphers disable 14

Infoblox > show ssl_tls_ciphers
  1. TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 enabled
  2. TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 enabled
  3. TLS_DHE_RSA_WITH_AES_128_CBC_SHA    enabled
  4. TLS_DHE_RSA_WITH_AES_256_CBC_SHA    enabled
  5. TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 enabled
  6. TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 enabled
  7. TLS_RSA_WITH_AES_128_GCM_SHA256     enabled
  8. TLS_RSA_WITH_AES_128_CBC_SHA        enabled
  9. TLS_RSA_WITH_AES_128_CBC_SHA256     enabled
 10. TLS_RSA_WITH_3DES_EDE_CBC_SHA       enabled
 11. TLS_RSA_WITH_AES_256_GCM_SHA384     enabled
 12. TLS_RSA_WITH_AES_256_CBC_SHA        enabled
 13. TLS_RSA_WITH_AES_256_CBC_SHA256     enabled
     TLS_DHE_DSS_WITH_AES_256_CBC_SHA    disabled
     TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA    disabled
     TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA    disabled
     TLS_DHE_DSS_WITH_AES_128_CBC_SHA    disabled
     TLS_RSA_WITH_RC4_128_SHA            disabled
     TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 disabled
     TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 disabled
     TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 disabled
     TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 disabled

Now suppose that for some reason you needed to re-enable the use of RC4. You could do this as follows:

Infoblox > set ssl_tls_settings override
The following services need to be restarted manually: GUI

Infoblox > set ssl_tls_ciphers enable TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_SHA was enabled
The following services need to be restarted manually: GUI

Infoblox > show ssl_tls_ciphers
  1. TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 enabled 
  2. TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 enabled 
  3. TLS_DHE_RSA_WITH_AES_128_CBC_SHA    enabled 
  4. TLS_DHE_RSA_WITH_AES_256_CBC_SHA    enabled 
  5. TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 enabled 
  6. TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 enabled 
  7. TLS_RSA_WITH_AES_128_GCM_SHA256     enabled 
  8. TLS_RSA_WITH_AES_128_CBC_SHA        enabled 
  9. TLS_RSA_WITH_AES_128_CBC_SHA256     enabled 
 10. TLS_RSA_WITH_3DES_EDE_CBC_SHA       enabled 
 11. TLS_RSA_WITH_AES_256_GCM_SHA384     enabled 
 12. TLS_RSA_WITH_AES_256_CBC_SHA        enabled 
 13. TLS_RSA_WITH_AES_256_CBC_SHA256     enabled 
 14. TLS_RSA_WITH_RC4_128_SHA            enabled
     TLS_DHE_DSS_WITH_AES_256_CBC_SHA    disabled
     TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA    disabled
     TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA    disabled
     TLS_DHE_DSS_WITH_AES_128_CBC_SHA    disabled
     TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 disabled
     TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 disabled
     TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 disabled
     TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 disabled