Enabling RC4 in cipher suites for Aspera server product is NOT recommended

Title: Enabling RC4 in cipher suites for Aspera server product is NOT recommended

Flash (Alert)

 

Abstract

The Bar Mitzvah Attack exploits a previously known vulnerability in the RC4 component of the SSL/TLS communication protocols. This exploit allows the attacker to partially decrypt information sent between two computer systems across a network. This can be a serious security issue because RC4 reportedly protects as much as 30 percent of Internet SSL traffic; and decrypted material may include passwords, credit card numbers, browser cookies, etc.  

For any of the Aspera client and mobile applications, the RC4 protocol is disabled by default. This can’t be changed. However, in some of our other applications, while RC4 is disabled by default, it can be enabled. This is a reminder NOT to enable RC4 cipher suites for the products listed below:

 

IBM Aspera Console Application

IBM Aspera Faspex Application

IBM Aspera Shares Application

IBM Aspera Orchestrator Application

 

Content

Aspera products by default disable RC4 cipher suites. If you have installed any of the following applications, you should verify that you have not enabled the RC4 cipher suites:

 

IBM Aspera Console Application

IBM Aspera Faspex Application

IBM Aspera Shares Application

IBM Orchestrator Application

 

Console, Faspex, Orchestrator

For Linux:  Open /opt/aspera/common/apache/conf/extra/httpd-ssl.conf

For Win:  Open C:\Program Files (x86)\Common Files\Aspera\Common\apache\conf\extra\httpd-ssl.conf

Check that you don't have any RC4 ciphers under the SSLCipherSuite line

 

To make sure your application does not accept the RC4 protocol:

Add :!RC4 to the end of the line, then restart Apache with:  asctl apache:restart

 

Shares

For Linux:  Open /opt/aspera/shares/etc/nginx/nginx.conf

For Windows:  Open C:\Shares\nginx\conf\nginx.conf

Check that you don't have RC4 ciphers under the ssl_ciphers line

 

To make sure your application does not accept the RC4 protocol:

Add :!RC4 to the end of the line, then restart Nginx with:  

/opt/aspera/shares/sbin/sv stop nginx

/opt/aspera/shares/sbin/sv start nginx

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.
Powered by Zendesk