Nav

Agent Security: Disabled Weak Ciphers

Agents receive connection requests from the Mule Management Console, the graphical tool that you can use to monitor and control Mule servers and applications. For security reasons, starting from 3.3.1, the Mule agent rejects connections that use weak ciphers. Even if an agent will only accept connections from an authorized Management Console, disabled weak ciphers are a useful feature if the environment is subjected to security audits, such as automated audits for PCI compliance.

This document refers to the Agent that communicates Mule Runtimes to the Mule Management Console, not to the one that communicates Mule Runtimes to the Runtime Manager

Disabled Ciphers

The following ciphers are disabled by default:

SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_RC4_128_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_RSA_WITH_DES_CBC_SHA
SSL_DHE_DSS_WITH_DES_CBC_SHA
SSL_RSA_WITH_DES_CBC_SHA
SSL_DHE_RSA_WITH_DES_CBC_SHA
SSL_DHE_DSS_WITH_DES_CBC_SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA

Adding or Removing Disabled Ciphers

Disabled ciphers are configured in the file mmc-support-app/WEB-INF/web.xml. This file is located inside the jar file $MULE_HOME/lib/mule/mmc-agent-impl-3.4.jar.

To add or remove ciphers, unpack mmc-agent-impl-3.4.jar into a folder structure and edit web.xml.

Configuration is controlled by the excludedCipherSuites parameter:


         
      
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
<context-param>
        <param-name>excludedCipherSuites</param-name>
        <param-value>
            SSL_RSA_WITH_RC4_128_MD5,
            SSL_RSA_WITH_RC4_128_SHA,
            SSL_RSA_WITH_3DES_EDE_CBC_SHA,
            SSL_DHE_RSA_WITH_DES_CBC_SHA,
            SSL_DHE_DSS_WITH_DES_CBC_SHA,
            SSL_RSA_WITH_DES_CBC_SHA,
            SSL_DHE_RSA_WITH_DES_CBC_SHA,
            SSL_DHE_DSS_WITH_DES_CBC_SHA,
            SSL_RSA_EXPORT_WITH_RC4_40_MD5,
            SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,
            SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
            SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
        </param-value>
    </context-param>

After modifying web.xml, repack the folders and files into mmc-agent-mule3-impl-3.3.x.jar, overwriting the original .jar file. Then, restart Mule for the changes to take effect.

Testing Ciphers

To test whether the agent accepts weak ciphers, you can use openssl, the open source toolkit for SSL and TLS.

From a terminal, run the following command:

openssl s_client -connect <host>:<port> -cipher LOW

If the agent does not accept weak ciphers, the command should return an error similar to the following:


         
      
1
2
CONNECTED(00000003)
1679:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:/SourceCache/OpenSSL098/OpenSSL098-47/src/ssl/s23_clnt.c:607: