TECADV004 - RC4 Deprecation Resulting in Browser Connection Error

TECADV004 - RC4 Deprecation Resulting in Browser Connection Error

Published: 04/20/2016
Summary
Starting with 2016 releases of Chrome and Firefox, customers may receive a browser-generated error indicating that the connection has been closed, refused, or reset.

Technical Details
In recent versions of Firefox and Chrome starting in 2016, the RC4 cipher has been disabled. Some deployments of PingFederate may have cipher suites containing only this deprecated RC4 cipher enabled. This may have been done to mitigate other SSL vulnerabilities (see below). When these versions of Chrome and Firefox attempt to connect to a PingFederate instance configured like this, they will find no acceptable ciphers and present an error.    
It's also possible that you have other ciphers available, but that they are also considered insecure by the browser (for example, if PingFederate was never reconfigured to avoid the POODLE or Logjam vulnerabilities).

Affected Ping Identity Solutions
All PingFederate customers prior to version 7.3, but particularly those customers on 6.8 and earlier versions due to the older cipher suites in use in those versions. Customers using PingFederate (PF) 6.9 through 7.3 are also affected but to a lesser extent due to support for newer ciphers in more recent releases. All customers using PF 7.3 and above with the default cipher configuration should not be affected as the RC4 ciphers have been removed by default.

Recommended Actions
The solution to this issue is to make other ciphers available that do not cause the browser to reject the cipher.

CAUTION: the set of cipher suites that are enabled should be reviewed by a security expert to ensure that vulnerabilities are not introduced through this process. You may review the SunJCEManager.xml file (see below) in the latest PF release - PF 8.0 at the time of this announcement - to identify the set of suites that contain known vulnerabilities, and which are therefore commented out.
Depending upon the version of PingFederate and the JDK you are running, cipher suites that are enabled in the latest version of PingFederate may not be available for use in your deployment, as more suites have been made available in later JDK versions.

In addition, later versions of PingFederate enable certain cipher suites (e.g. CBC) that are not vulnerable when used in combination with TLS 1.0 or later, but that are vulnerable when used with SSLv3, and so should not be enabled if you are still using SSLv3. See below regarding the POODLE vulnerability for more information.

To enable other ciphers, edit the file pingfederate/server/default/data/config-store/com.pingidentity.crypto.SunJCEManager.xml and uncomment lines that contain ciphers that do not expose you to other vulnerabilities.

For example,

        <!-- <con:item name="TLS_ECDHE_ECDSA_WITH_RC4_128_SHA"/> RC4 insecure -->
        <!-- <con:item name="TLS_ECDHE_RSA_WITH_RC4_128_SHA"/> RC4 insecure -->
        <!-- <con:item name="SSL_RSA_WITH_RC4_128_SHA"/>  RC4 insecure -->
        <!-- <con:item name="TLS_ECDH_ECDSA_WITH_RC4_128_SHA"/> RC4 insecure -->
        <!-- <con:item name="TLS_ECDH_RSA_WITH_RC4_128_SHA"/> RC4 insecure -->
        <!-- <con:item name="SSL_RSA_WITH_RC4_128_MD5"/> RC4 insecure -->
        <con:item name="TLS_RSA_WITH_AES_128_CBC_SHA256"/>
        <con:item name="TLS_RSA_WITH_AES_128_CBC_SHA"/>

 

 

Interactions
There are numerous known vulnerabilities that may affect what cipher suites you can enable safely. Two notable recent vulnerabilities are the POODLE and Logjam attacks, described briefly below. Please consult with your own internal security team to choose the appropriate cipher suites to enable; this KB article cannot exhaustively list all potential vulnerabilities and consultation with a security expert is advised. 

Poodle Mitigation
To avoid the POODLE vulnerability, you should not have any CBC ciphers enabled if you do not have SSLv3 disabled.

For PingFederate 7.3 and later, SSLv3 has been disabled by default.

For PingFederate 6.9 through 7.2R2, SSLv3 can be disabled by adding a parameter to the SslContextFactory elements in etc/jetty-runtime.xml and etc/jetty-admin.xml for all nodes. In jetty-runtime.xml, replace the following (should appear twice, once for default port 9031 and once for default port 8443, the secondary listener):

<Arg>
  <New class="com.pingidentity.appserver.jetty.server.connector.ssl.RuntimeSslContextFactory"></New>
</Arg>

with:

<Arg>
  <New class="com.pingidentity.appserver.jetty.server.connector.ssl.RuntimeSslContextFactory">
    <!-- Excluded to mitigate POODLE attack -->
    <Set name="ExcludeProtocols">
      <Array type="java.lang.String">
        <Item>SSLv3</Item>  
      </Array>  
    </Set>
  </New>
</Arg>

and in jetty-admin.xml, replace:
 
<Arg>
  <New class="com.pingidentity.appserver.jetty.server.connector.ssl.AdminSslContextFactory"></New>
</Arg>

with:

<Arg>
  <New class="com.pingidentity.appserver.jetty.server.connector.ssl.AdminSslContextFactory">
    <!-- Excluded to mitigate POODLE attack -->
    <Set name="ExcludeProtocols">
      <Array type="java.lang.String">
        <Item>SSLv3</Item>  
      </Array>  
    </Set>
  </New>
</Arg>


For PingFederate 6.8 or prior, there is no way to disable SSLv3. To disable SSLv3, and thus allow the additional CBC ciphers, it is necessary to upgrade PingFederate to a more recent version. The only mitigation for this issue with PingFederate 6.8 and prior is to place PingFederate behind a load balancer or reverse proxy that can present a browser-supported set of ciphers.

Logjam Mitigation
To avoid the Logjam vulnerability (and having browsers refuse connections), you must be on Java SE 8/JDK 1.8.0, or, you should not enable any DHE ciphers (ECDHE are fine) in the pingfederate/server/default/data/config-store/com.pingidentity.crypto.SunJCEManager.xml file (see Note 1 at the bottom). You should also consider setting the JVM jdk.tls.ephemeralDHKeySize parameter to a value higher than the default of 1024. This is set as a Java system property via -Djdk.tls.ephemeralDHKeySize=2048 in the Linux run.sh JAVA_OPTS variable or Windows service PingFederateService.conf wrapper.java.additional property. 

Mitigation for Other Attacks
Please consult with your own internal security team to choose the appropriate cipher suites to enable; this technical advisory cannot exhaustively list all potential vulnerabilities. Consultation with a security expert is advised. 

Additional Alternatives
You can also increase the number of available ciphers by installing the JCE Unlimited Crypto Policy files. Per guidance from Oracle, JCE policy files are used to specify cryptographic restrictions appropriate for countries whose governments mandate restrictions. Users in those countries can download an appropriate bundle, and the JCE framework will enforce the specified restrictions. You are advised to consult your export/import control counsel or attorney to determine the exact requirements.  
Ciphers at the top of the com.pingidentity.crypto.SunJCEManager.xml (such as those using AES_256) may be enabled if the JCE Unlimited Crypto Policy Files are installed.

Changes to the com.pingidentity.crypto.SunJCEManager.xml file require a restart. In a cluster, this change should be made on the admin console, followed by a restart of the admin console, followed by a cluster management replication, followed by a restart of the runtime nodes.

Troubleshooting
Some versions of PingFederate were shipped with some CBC_SHA ciphers disabled due to vulnerabilities that have since been corrected in the clients. Because Chrome expects CBC_SHA ciphers you may have to enable them. For example, PingFederate 7.2.1 would (by default) have TLS_RSA_WITH_AES_128_CBC_SHA256 enabled, but TLS_RSA_WITH_AES_128_CBC_SHA disabled. With modern browsers, it's likely safe to enable TLS_RSA_WITH_AES_128_CBC_SHA, but this might depend on your corporate infrastructure and standards. You should consult with your security team if unsure.
At the writing of this article, Chrome 48 on Windows 7 presents the following list of ciphers with its client hello -
 
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA,
SSL_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_FALLBACK_SCSV

Firefox 44 presents -

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA,
SSL_RSA_WITH_3DES_EDE_CBC_SHA

One of these ciphers must be enabled in com.pingidentity.crypto.SunJCEManager.xml for the browser to successfully connect.

To view the list of ciphers presented, the PingFederate JVM must be started with the Java system property "-Djavax.net.debug=ssl" in the Linux run.sh JAVA_OPTS variable or Windows service PingFederateService.conf wrapper.java.additional property. Note that some versions of PingFederate do not show the output for this in the server.log and you may have to run PingFederate interactively to see the additional messages. This should only be done in a non-production environment as it significantly impacts performance.

Note 1: Previous versions of this KB article reflected the availability of Java 7u85. This was the last "public" release available at the time of this article's original publication. It was pulled from Oracle's "public" downloads due to CVE-2015-4871. As the CVE was published after Oracle's end of public updates for Java 7, we cannot recommend a version of Java 7 for use that has the ability to set the jdk.tls.ephemeralDHKeySize parameter. As such, the "Logjam Mitigation" section was updated to reflect that with versions less than 8, the only option is to disable the DHE ciphers.
Category:
PingFederate , 
KB or other URL: