Disable specific TLS cipher suits in Aerospike server configuration

We have a organization security requirement to disable and stop using DES, 3DES, IDEA or RC2 ciphers. How can we achieve this with aerospike server side configuration?

Should we have to enable cipher-suite in network stanza? If we enable, does it mean aerospike allow or disallow those ciphers?

How to list the current allowed ciphers by aerospike?

My understanding of the cipher-suite config param is that it allows for both specifying what ciphers to allow and disallow. I am not an expert but based on some basic reading I had done, it seemed to have a syntax which allowed for exclusion and inclusion. Here is a page I think I looked up: https://www.openssl.org/docs/man1.0.2/man1/ciphers.html.

Thanks Meher for the info. Added below line in aerospike conf file to block cipher-suits DES* and IDEA* and it working fine

network { tls { cipher-suite ALL:!DES-CBC3-SHA:!IDEA-CBC-SHA

But, I doubt ALL would cause any security issues? Is there a way to list default aerospike allowed cipher-suits ?

Wouldn’t it depend on what is available on the system itself? So one can also control through the OS I would think. Oh you can also check the list at server startup. The Aerospike daemon I am pretty sure does list all available ciphers when it starts up.

Aerospike daemon listing ciphers during start up when tls-cipher is configured in .conf file only. It doesn’t display ciphers when not enabled tls-ciphers. I wonder what are the ciphers aerospike allowed or look for when startup with default configuration i.e tls-cipher is not updated in .conf file.

Are you sure it doesn’t list any ciphers at startup when leaving the default cipher-suite configuration? I have seen output as this one (see below) but I haven’t looked recently and maybe this would require enabling detail logging for the tls context at startup? I would have to check… here is an example on a version from last year:

...
Feb 13 2019 05:02:06 GMT: INFO (config): (cfg.c:3968)     cipher-suite ALL:!COMPLEMENTOFDEFAULT:!eNULL
...
...
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 1: ECDHE-RSA-AES256-GCM-SHA384
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 2: ECDHE-ECDSA-AES256-GCM-SHA384
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 3: ECDHE-RSA-AES256-SHA384
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 4: ECDHE-ECDSA-AES256-SHA384
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 5: ECDHE-RSA-AES256-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 6: ECDHE-ECDSA-AES256-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 7: DH-DSS-AES256-GCM-SHA384
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 8: DHE-DSS-AES256-GCM-SHA384
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 9: DH-RSA-AES256-GCM-SHA384
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 10: DHE-RSA-AES256-GCM-SHA384
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 11: DHE-RSA-AES256-SHA256
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 12: DHE-DSS-AES256-SHA256
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 13: DH-RSA-AES256-SHA256
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 14: DH-DSS-AES256-SHA256
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 15: DHE-RSA-AES256-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 16: DHE-DSS-AES256-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 17: DH-RSA-AES256-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 18: DH-DSS-AES256-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 19: DHE-RSA-CAMELLIA256-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 20: DHE-DSS-CAMELLIA256-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 21: DH-RSA-CAMELLIA256-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 22: DH-DSS-CAMELLIA256-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 23: ECDH-RSA-AES256-GCM-SHA384
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 24: ECDH-ECDSA-AES256-GCM-SHA384
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 25: ECDH-RSA-AES256-SHA384
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 26: ECDH-ECDSA-AES256-SHA384
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 27: ECDH-RSA-AES256-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 28: ECDH-ECDSA-AES256-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 29: AES256-GCM-SHA384
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 30: AES256-SHA256
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 31: AES256-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 32: CAMELLIA256-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 33: PSK-AES256-CBC-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 34: ECDHE-RSA-AES128-GCM-SHA256
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 35: ECDHE-ECDSA-AES128-GCM-SHA256
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 36: ECDHE-RSA-AES128-SHA256
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 37: ECDHE-ECDSA-AES128-SHA256
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 38: ECDHE-RSA-AES128-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 39: ECDHE-ECDSA-AES128-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 40: DH-DSS-AES128-GCM-SHA256
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 41: DHE-DSS-AES128-GCM-SHA256
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 42: DH-RSA-AES128-GCM-SHA256
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 43: DHE-RSA-AES128-GCM-SHA256
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 44: DHE-RSA-AES128-SHA256
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 45: DHE-DSS-AES128-SHA256
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 46: DH-RSA-AES128-SHA256
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 47: DH-DSS-AES128-SHA256
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 48: DHE-RSA-AES128-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 49: DHE-DSS-AES128-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 50: DH-RSA-AES128-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 51: DH-DSS-AES128-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 52: DHE-RSA-SEED-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 53: DHE-DSS-SEED-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 54: DH-RSA-SEED-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 55: DH-DSS-SEED-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 56: DHE-RSA-CAMELLIA128-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 57: DHE-DSS-CAMELLIA128-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 58: DH-RSA-CAMELLIA128-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 59: DH-DSS-CAMELLIA128-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 60: ECDH-RSA-AES128-GCM-SHA256
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 61: ECDH-ECDSA-AES128-GCM-SHA256
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 62: ECDH-RSA-AES128-SHA256
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 63: ECDH-ECDSA-AES128-SHA256
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 64: ECDH-RSA-AES128-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 65: ECDH-ECDSA-AES128-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 66: AES128-GCM-SHA256
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 67: AES128-SHA256
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 68: AES128-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 69: SEED-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 70: CAMELLIA128-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 71: PSK-AES128-CBC-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 72: ECDHE-RSA-DES-CBC3-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 73: ECDHE-ECDSA-DES-CBC3-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 74: EDH-RSA-DES-CBC3-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 75: EDH-DSS-DES-CBC3-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 76: DH-RSA-DES-CBC3-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 77: DH-DSS-DES-CBC3-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 78: ECDH-RSA-DES-CBC3-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 79: ECDH-ECDSA-DES-CBC3-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 80: DES-CBC3-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 81: IDEA-CBC-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 82: PSK-3DES-EDE-CBC-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 83: KRB5-IDEA-CBC-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 84: KRB5-DES-CBC3-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 85: KRB5-IDEA-CBC-MD5
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 86: KRB5-DES-CBC3-MD5
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 87: ECDHE-RSA-RC4-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 88: ECDHE-ECDSA-RC4-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 89: ECDH-RSA-RC4-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 90: ECDH-ECDSA-RC4-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 91: RC4-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 92: RC4-MD5
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 93: PSK-RC4-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 94: KRB5-RC4-SHA
Feb 13 2019 05:02:06 GMT: INFO (tls): (tls_ee.c:1075) cipher 95: KRB5-RC4-MD5
© 2015 Copyright Aerospike, Inc. | All rights reserved. Creators of the Aerospike Database.