Some of the IBM Sterling B2B Integrator(SI) customers wants to avoid SSH handshake using CBC Cipher as it is vulnerable. The link http://www.kb.cert.org/vuls/id/958563 explains that CBC Ciphers are security vulnerable and the solution is to use CTR Cipher instead of CBC Cipher. However, in SI versions 5020602 and 5020603, maverick (the third party api used for SSH/SFTP) version used is 1.4.60 which mandates that CBC Cipher should be present in Client side. Hence, disabling the CBC support using the security property supportCBCCiphers=false will result in SFTP communication failure with key based authentication.
To enforce the use of CTR Cipher in SI, we have introduced two new properties : SSHServerCipherList, SSHClientCipherList
a) security.SSHServerCipherList is the property to restrict the list of server side ciphers. In the SFTP Server adapter, "Preferred Cipher" drop down will pick the values specified in this property list.
b) security.SSHClientCipherList is the property to restrict the list of client side ciphers. In the SSH Remote Profile Configurations, "Preferred Cipher" drop down will pick the values specified in this property list.
The fix also needs the property security.supportCBCCiphers set as true in customer_overrides.properties.
This is how it works :
1. In the server side, SFTP Server Adapter can restrict Cipher as "ctr" by specifying the property value as
security.SSHServerCipherList=aes128-ctr,aes192-ctr,aes256-ctr
security.SSHServerCipherList=aes128-ctr,aes192-ctr,aes256-ctr
This will restrict the client to communicate only with "ctr" Ciphers.
2. In the client side, the Business Process should specify Ciphers as "cbr" and "ctr" by specifying the property value as
security.SSHClientCipherList=aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc
security.SSHClientCipherList=aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc
Also, the PreferredCipher should have the value of "ctr" in BP. This will ensure that the communication happens with "ctr" Cipher.
3. The external client should ensure that it communicates with server adapter with "ctr" Cipher.
In case, if there is a mismatch in client and server side Ciphers, an error message : Failed to negotiate a transport component [aes128-cbc,aes192-cbc,aes256-cbc] [aes256-ctr,aes128-ctr,aes192-ctr] [Unknown cause]:SSH_DISCONNECT_BY_APPLICATION:SFTP session channel closed by server.: should be displayed in SFTP Client Begin Session Service.
NOTE : This fix is available only as a custom ifix for SI versions 5020602 and 5020603. The changes are NOT available in the product.
3. The external client should ensure that it communicates with server adapter with "ctr" Cipher.
In case, if there is a mismatch in client and server side Ciphers, an error message : Failed to negotiate a transport component [aes128-cbc,aes192-cbc,aes256-cbc] [aes256-ctr,aes128-ctr,aes192-ctr] [Unknown cause]:SSH_DISCONNECT_BY_APPLICATION:SFTP session channel closed by server.: should be displayed in SFTP Client Begin Session Service.
NOTE : This fix is available only as a custom ifix for SI versions 5020602 and 5020603. The changes are NOT available in the product.
