KB Article #178095

API Gateway and SWEET32 (CVE-2016-2183)

Problem

* A 'birthday attack' against 64-bit block ciphers called SWEET32 (CVE-2016-2183) has been identified that can work in conjunction with known plaintext to compromise things like HTTP session cookies.

Resolution

-- As explained on the OpenSSL site, this is a problem with 64-bit block ciphers in general and DES and 3DES in particular, rather than any particular implementation thereof, and the ciphers themselves are no longer secure and must not be used. So the only way to secure an SSL port is to remove the DES and 3DES ciphers. Modern versions of the gateway already exclude these by default, but older versions and SSL ports where the ciphers have been manually configured may not.


In general, adding :!DES:!3DES to the end of any OpenSSL cipher string will remove both classes of cipher. You can check the ciphers enabled by a cipher string by running openssl ciphers -V "YOUR_CIPHER_STRING" on your gateway's version of OpenSSL, which is OpenSSL 1.0.1 for 7.2.4-7.4.2. Refer to the OpenSSL ciphers documentation for more information on crafting OpenSSL cipher strings.