Allied Telesis AlliedWare gui http server accepted cipher suites

Zulakis asked:

When configuring a AT-9924T switch running AlliedWare 2.9.2 to serve ssl encryption on the http server as described in the manual like this:

create enco key=0 type=rsa length=2048
set system distinguishedname="cn=switch1,o=my_company,c=us"
create pki certificate=cer_name keypair=0 serialnumber=12345 subject="cn=,o=my_company, c=us"
add pki certificate=cer_name location=cer_name.cer trust=yes
set http server security=on sslkey=0 port=443

It only allows two low-security ciphers which are not supported by any modern browsers (firefox,chrome,ie) anymore. The only browser I found which still does support them is IE6, which is not really an option.

  Supported Server Cipher(s):
    Accepted  SSLv3  56 bits   DES-CBC-SHA
    Accepted  SSLv3  40 bits   EXP-DES-CBC-SHA

How can I configure the http server so it allows better ciphers which are supported by modern browsers?

My answer:

The manual you linked to says, in part:

A 3DES feature licence is required to use 3DES encryption.

So you can pay for this and get 168-bit 3DES. That’s probably about all you can do, but it really only would buy you a little time.

With a switch of this age, there probably isn’t much else you can do. Keep in mind, also, that there have been many attacks on SSL/TLS in the past few years, and this switch apparently can’t be brought up to date for any of them.

If it were me, I’d leave the web interface turned off, and put the switch on my list of things to be replaced.

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.