Over the past few years browsers such as Chrome or Firefox have started deprecating known vulnerabilities in SSL/TLS encryption – vulnerabilities that can break the encrpytion. Where this post’s issue lies is that IETF have prohibited the use of RC4.
Now, what happens if you need to access something via HTTPS, say an AudioCodes that uses the RC4 cipher? You will probably be presented with an error such as in Chrome: “ERR_SSL_VERSION_OR_CIPHER_MISMATCH”. This is effectively saying the browser does not support any ciphers being offered from the HTTPS sever.
At this point we have two options:
- Install an older browser that supports RC4 (please don’t do this, it’s disabled for a reason).
- Change the cipher suite on the AudioCodes to support a cipher other than RC4.
Enabling Another Cipher
Let’s go with option 2, shall we?
- As we cannot browse to the device, we will need to SSH (or Telnet if SSH is disabled) to the Mediant instead. You should be able to login using the same credentials you use via the webpage.
- From the prompt enter enable mode and enter the enable password (in default this is “Admin”).
- If you are in enable mode you will now have a “#” at the end of the prompt.
Mediant VE SBC> en Password: Mediant VE SBC#
- We now enter the system configuration
Mediant VE SBC# conf system
- Then in to the web server configuration.
Mediant VE SBC(config-system)# web
- Change the HTTPS cipher string to “RC4:AES128” – this is the default string on newer builds of AudioCodes software. It is in OpenSSL format and adds AES128 in addition to RC4.
Mediant VE SBC(web)# https-cipher-string RC4:AES128 Note: Changes will take effect after reset.
- Exit the web configuration and exit system configuration.
Mediant VE SBC(web)# exit Mediant VE SBC(config-system)# exit
- Now go in to the voip configuration.
Mediant VE SBC# configure voip
- Then enter tls configuration (if this is not found you might be on an older build and will need to find this under system configuration).
Mediant VE SBC(config-voip)# tls
- Change the server ciphers to match the HTTPS ciphers.
Mediant VE SBC(tls-0)# ciphers-server RC4:AES128
- Exit the tls and voip configuration.
Mediant VE SBC(tls-0)# exit Mediant VE SBC(config-voip)# exit
- Reload (reboot) the system for changes to take effect.
Mediant VE SBC# reload now
After the reboot you should now be able to login via HTTPS.