Disable specific TLS cipher suits in Aerospike server configuration

kmurakon · July 25, 2020, 7:48am

We have a organization security requirement to disable and stop using DES, 3DES, IDEA or RC2 ciphers. How can we achieve this with aerospike server side configuration?

Should we have to enable cipher-suite in network stanza? If we enable, does it mean aerospike allow or disallow those ciphers?

How to list the current allowed ciphers by aerospike?

meher · July 26, 2020, 1:41am

My understanding of the cipher-suite config param is that it allows for both specifying what ciphers to allow and disallow. I am not an expert but based on some basic reading I had done, it seemed to have a syntax which allowed for exclusion and inclusion. Here is a page I think I looked up: /docs/man1.0.2/man1/ciphers.html.

kmurakon · July 26, 2020, 5:59am

Thanks Meher for the info. Added below line in aerospike conf file to block cipher-suits DES* and IDEA* and it working fine

network { tls { cipher-suite ALL:!DES-CBC3-SHA:!IDEA-CBC-SHA

But, I doubt ALL would cause any security issues? Is there a way to list default aerospike allowed cipher-suits ?

meher · July 28, 2020, 1:10am

Wouldn’t it depend on what is available on the system itself? So one can also control through the OS I would think. Oh you can also check the list at server startup. The Aerospike daemon I am pretty sure does list all available ciphers when it starts up.

kmurakon · July 28, 2020, 5:20am

Aerospike daemon listing ciphers during start up when tls-cipher is configured in .conf file only. It doesn’t display ciphers when not enabled tls-ciphers. I wonder what are the ciphers aerospike allowed or look for when startup with default configuration i.e tls-cipher is not updated in .conf file.

meher · July 29, 2020, 2:16am

Are you sure it doesn’t list any ciphers at startup when leaving the default cipher-suite configuration? I have seen output as this one (see below) but I haven’t looked recently and maybe this would require enabling detail logging for the tls context at startup? I would have to check… here is an example on a version from last year:

...
Feb 13 2019 05:02:06 GMT: INFO (config): (cfg.c:3968)     cipher-suite ALL:!COMPLEMENTOFDEFAULT:!eNULL
...
...
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 1: ECDHE-RSA-AES256-GCM-SHA384
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 2: ECDHE-ECDSA-AES256-GCM-SHA384
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 3: ECDHE-RSA-AES256-SHA384
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 4: ECDHE-ECDSA-AES256-SHA384
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 5: ECDHE-RSA-AES256-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 6: ECDHE-ECDSA-AES256-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 7: DH-DSS-AES256-GCM-SHA384
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 8: DHE-DSS-AES256-GCM-SHA384
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 9: DH-RSA-AES256-GCM-SHA384
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 10: DHE-RSA-AES256-GCM-SHA384
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 11: DHE-RSA-AES256-SHA256
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 12: DHE-DSS-AES256-SHA256
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 13: DH-RSA-AES256-SHA256
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 14: DH-DSS-AES256-SHA256
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 15: DHE-RSA-AES256-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 16: DHE-DSS-AES256-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 17: DH-RSA-AES256-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 18: DH-DSS-AES256-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 19: DHE-RSA-CAMELLIA256-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 20: DHE-DSS-CAMELLIA256-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 21: DH-RSA-CAMELLIA256-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 22: DH-DSS-CAMELLIA256-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 23: ECDH-RSA-AES256-GCM-SHA384
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 24: ECDH-ECDSA-AES256-GCM-SHA384
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 25: ECDH-RSA-AES256-SHA384
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 26: ECDH-ECDSA-AES256-SHA384
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 27: ECDH-RSA-AES256-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 28: ECDH-ECDSA-AES256-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 29: AES256-GCM-SHA384
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 30: AES256-SHA256
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 31: AES256-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 32: CAMELLIA256-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 33: PSK-AES256-CBC-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 34: ECDHE-RSA-AES128-GCM-SHA256
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 35: ECDHE-ECDSA-AES128-GCM-SHA256
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 36: ECDHE-RSA-AES128-SHA256
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 37: ECDHE-ECDSA-AES128-SHA256
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 38: ECDHE-RSA-AES128-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 39: ECDHE-ECDSA-AES128-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 40: DH-DSS-AES128-GCM-SHA256
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 41: DHE-DSS-AES128-GCM-SHA256
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 42: DH-RSA-AES128-GCM-SHA256
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 43: DHE-RSA-AES128-GCM-SHA256
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 44: DHE-RSA-AES128-SHA256
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 45: DHE-DSS-AES128-SHA256
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 46: DH-RSA-AES128-SHA256
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 47: DH-DSS-AES128-SHA256
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 48: DHE-RSA-AES128-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 49: DHE-DSS-AES128-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 50: DH-RSA-AES128-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 51: DH-DSS-AES128-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 52: DHE-RSA-SEED-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 53: DHE-DSS-SEED-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 54: DH-RSA-SEED-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 55: DH-DSS-SEED-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 56: DHE-RSA-CAMELLIA128-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 57: DHE-DSS-CAMELLIA128-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 58: DH-RSA-CAMELLIA128-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 59: DH-DSS-CAMELLIA128-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 60: ECDH-RSA-AES128-GCM-SHA256
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 61: ECDH-ECDSA-AES128-GCM-SHA256
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 62: ECDH-RSA-AES128-SHA256
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 63: ECDH-ECDSA-AES128-SHA256
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 64: ECDH-RSA-AES128-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 65: ECDH-ECDSA-AES128-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 66: AES128-GCM-SHA256
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 67: AES128-SHA256
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 68: AES128-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 69: SEED-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 70: CAMELLIA128-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 71: PSK-AES128-CBC-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 72: ECDHE-RSA-DES-CBC3-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 73: ECDHE-ECDSA-DES-CBC3-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 74: EDH-RSA-DES-CBC3-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 75: EDH-DSS-DES-CBC3-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 76: DH-RSA-DES-CBC3-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 77: DH-DSS-DES-CBC3-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 78: ECDH-RSA-DES-CBC3-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 79: ECDH-ECDSA-DES-CBC3-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 80: DES-CBC3-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 81: IDEA-CBC-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 82: PSK-3DES-EDE-CBC-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 83: KRB5-IDEA-CBC-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 84: KRB5-DES-CBC3-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 85: KRB5-IDEA-CBC-MD5
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 86: KRB5-DES-CBC3-MD5
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 87: ECDHE-RSA-RC4-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 88: ECDHE-ECDSA-RC4-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 89: ECDH-RSA-RC4-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 90: ECDH-ECDSA-RC4-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 91: RC4-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 92: RC4-MD5
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 93: PSK-RC4-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 94: KRB5-RC4-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 95: KRB5-RC4-MD5

kmurakon · August 27, 2020, 2:46pm

Sorry for late reply, yes i don’t see ciphers listing with default cipher-suite configuration.

meher · September 4, 2020, 3:19am

Not sure what would cause the Aerospike server to dump this list or not, but in any case, you should be able to get the default list form the OpenSSL library itself, which is what the Aerospike server would use:

https://www.openssl.org/docs/man1.1.0/man1/ciphers.html

Topic		Replies	Views
Asynchronous API with TLS support	1	1319	October 10, 2017
TLS authentication using Python client Python Client python	0	1590	May 3, 2017
Enabling security prevents docker aerospike from starting Configuration	3	757	February 21, 2020
Enterprise Security Enabled Login (PHP 3.3.14) [Released] [Resolved] PHP Client Library	5	1779	April 25, 2015
Aerospike Database 5.7.0.7 (September 27, 2021) Releases (Server, Client & Tools)	0	690	September 27, 2021

Disable specific TLS cipher suits in Aerospike server configuration

Related Topics