Atozed Forums
Ciphers - Printable Version

+- Atozed Forums (https://www.atozed.com/forums)
+-- Forum: Atozed Software Products (https://www.atozed.com/forums/forum-1.html)
+--- Forum: IntraWeb (https://www.atozed.com/forums/forum-3.html)
+---- Forum: English (https://www.atozed.com/forums/forum-16.html)
+----- Forum: IntraWeb General Discussion (https://www.atozed.com/forums/forum-4.html)
+----- Thread: Ciphers (/thread-1685.html)

Pages: 1 2


RE: Ciphers - Alexandre Machado - 05-25-2020

(05-21-2020, 12:38 AM)zsleo Wrote: One of my web apps is being PCI certified.

1. How do I restrict ciphers from being used?

For example, I want to disallow ciphers
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
.. and others

2. I have an auditor querying if we can prevent ECDH public server param reuse

Is this possible and if so how.


TIA


Regarding the ciphers in Http.sys I recommend you to use some tool like the one mentioned by JSP, above. The GUI version is really simple and easy to use.


RE: Ciphers - Alexandre Machado - 05-26-2020

Do you know the virtualization software that is being used?

Our SSE 4.2 detection code is correct. Very likely your VM software is returning wrong results due to a cpuid instruction call....

Can you run this on it and see what you get? https://docs.microsoft.com/en-us/sysinternals/downloads/coreinfo


RE: Ciphers - zsleo - 05-26-2020

I will use that tool but it is a production server so we can only reboot it after 2 AM tomorrow.

I will report back.

I have a test server that is a Xeon 5160. Does Xeon 5160 support the algorithm?


RE: Ciphers - Alexandre Machado - 05-26-2020

The CoreInfo tool doesn't need reboot. It is just something which retrieves the CPU information as reported by the VM. I just want you to execute it once, and grab that information so we can analyze it


RE: Ciphers - zsleo - 05-26-2020

Just ran the app up on a win server 2019 in Azure and it works very nicely.


RE: Ciphers - Alexandre Machado - 05-26-2020

Nice! I'm still interested to know the reason of that SSE 4.2 detection failure. As I mentioned, the detection code is in accordance with Intel recommendations, so I suspect that it was caused by the virtualization software.


RE: Ciphers - Alexandre Machado - 05-27-2020

In IW 15.2.0 released today, there is a new variable which allows you to bypass the SSE 4.2 compatibility check.

In your DPR File, before running your application just set

Example:


Code:
begin
  IWZLibExAPI.IgnoreSSE42Check := True;
  TIWStart.Execute(True);
end.



This will allow SSE 4.2 compression to be used regardless of the status obtained via cpuid instruction. You can use it when you are certain that SSE 4.2 is supported.


RE: Ciphers - zsleo - 05-27-2020

Thanks, Alexandre.

I am still waiting, because it is a PCI controlled environment, for approval to install and run then Core Info on the box.