Agents receive connection requests from the Mule Management Console, the graphical tool that you can use to monitor and control Mule servers and applications. For security reasons, starting from 3.3.1, the Mule agent rejects connections that use weak ciphers. Even if an agent will only accept connections from an authorized Management Console, disabled weak ciphers are a useful feature if the environment is subjected to security audits, such as automated audits for PCI compliance.
Note
|
This document refers to the Agent that communicates Mule Runtimes to the Mule Management Console, not to the one that communicates Mule Runtimes to the Runtime Manager |
The following ciphers are disabled by default:
SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_RC4_128_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_RSA_WITH_DES_CBC_SHA
SSL_DHE_DSS_WITH_DES_CBC_SHA
SSL_RSA_WITH_DES_CBC_SHA
SSL_DHE_RSA_WITH_DES_CBC_SHA
SSL_DHE_DSS_WITH_DES_CBC_SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
Disabled ciphers are configured in the file mmc-support-app/WEB-INF/web.xml
. This file is located inside the jar file $MULE_HOME/lib/mule/mmc-agent-impl-3.4.jar
.
To add or remove ciphers, unpack mmc-agent-impl-3.4.jar
into a folder structure and edit web.xml
.
Configuration is controlled by the excludedCipherSuites
parameter:
<context-param>
<param-name>excludedCipherSuites</param-name>
<param-value>
SSL_RSA_WITH_RC4_128_MD5,
SSL_RSA_WITH_RC4_128_SHA,
SSL_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_RSA_WITH_DES_CBC_SHA,
SSL_DHE_DSS_WITH_DES_CBC_SHA,
SSL_RSA_WITH_DES_CBC_SHA,
SSL_DHE_RSA_WITH_DES_CBC_SHA,
SSL_DHE_DSS_WITH_DES_CBC_SHA,
SSL_RSA_EXPORT_WITH_RC4_40_MD5,
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
</param-value>
</context-param>
After modifying web.xml
, repack the folders and files into mmc-agent-mule3-impl-3.3.x.jar
, overwriting the original .jar file. Then, restart Mule for the changes to take effect.
To test whether the agent accepts weak ciphers, you can use openssl, the open source toolkit for SSL and TLS.
From a terminal, run the following command:
openssl s_client -connect <host>:<port> -cipher LOW
If the agent does not accept weak ciphers, the command should return an error similar to the following:
CONNECTED(00000003)
1679:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:/SourceCache/OpenSSL098/OpenSSL098-47/src/ssl/s23_clnt.c:607: