In keeping up with secure data transmission practices, these two security aspects need to be addressed on the Storage Platform:
1. Vulnerable Storage Platform connections
- AccountServers and StorageServers do not accept SSL connections, only TLS.
- The insecure RC4 cipher should be blocked for connections to the Storage Platform. To disable all weak ciphers, including RC4, follow the steps as explained for SChannel vulnerabilities in FAQ article 556.
2. Vulnerable operating system configurations
The Storage Platform identifies vulnerable cipher suites allowed by the operating system and logs warnings on a daily basis in the Management Console's AccountServer log.
Note: Typical insecure ciphers shown in the logs will be: DHE-related, TripleDES, RC4, and MD5 ciphers. Here's an example:
12:45:59 Warn: The operating system is configured to allow the following known weak cipher suites:
12:45:59 Warn: TLS_RSA_WITH_RC4_128_SHA
12:45:59 Warn: TLS_RSA_WITH_3DES_EDE_CBC_SHA
12:45:59 Warn: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
12:45:59 Warn: TLS_DHE_DSS_WITH_AES_128_CBC_SHA
12:45:59 Warn: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
12:45:59 Warn: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
12:45:59 Warn: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
12:45:59 Warn: TLS_RSA_WITH_RC4_128_MD5
12:45:59 Warn: SSL_CK_RC4_128_WITH_MD5
12:45:59 Warn: SSL_CK_DES_192_EDE3_CBC_WITH_MD5
12:45:59 Warn: TLS_RSA_WITH_NULL_SHA256
12:45:59 Warn: TLS_RSA_WITH_NULL_SHA
Tip: Use the LogAnalyzer to view these entries in the log.
To test for connection vulnerabilities:
- Go to: https://www.ssllabs.com/ssltest/
- Enter your Storage Platform's address in the Domain name box and click Submit.
The site will report any weaknesses.
Some vulnerabilities can be addressed by following the relevant steps below: