Contact Us 1-800-596-4880
  1. Homepage
  2. Mule Runtime (3.6)
  3. Shared Resources
  4. Mule Agents

  5. Agent Security: Disabled Weak Ciphers

Agent Security: Disabled Weak Ciphers

Mule Runtime Engine versions 3.5, 3.6, and 3.7 reached End of Life on or before January 25, 2020. For more information, contact your Customer Success Manager to determine how you can migrate to the latest Mule version.

Agents receive connection requests from the Mule Management Console, the graphical tool that you can use to monitor and control Mule ESB servers and applications. For security reasons, starting from 3.3.1, the Mule agent rejects connections that use weak ciphers. Even if an agent will only accept connections from an authorized Management Console, disabled weak ciphers are a useful feature if the environment is subjected to security audits, such as automated audits for PCI compliance.

Disabled Ciphers

The following ciphers are disabled by default:

SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_RC4_128_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_RSA_WITH_DES_CBC_SHA
SSL_DHE_DSS_WITH_DES_CBC_SHA
SSL_RSA_WITH_DES_CBC_SHA
SSL_DHE_RSA_WITH_DES_CBC_SHA
SSL_DHE_DSS_WITH_DES_CBC_SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA

Adding or Removing Disabled Ciphers

Disabled ciphers are configured in the file mmc-support-app/WEB-INF/web.xml. This file is located inside the jar file $MULE_HOME/lib/mule/mmc-agent-impl-3.4.jar.

To add or remove ciphers, unpack mmc-agent-impl-3.4.jar into a folder structure and edit web.xml.

Configuration is controlled by the excludedCipherSuites parameter:

<context-param>
        <param-name>excludedCipherSuites</param-name>
        <param-value>
            SSL_RSA_WITH_RC4_128_MD5,
            SSL_RSA_WITH_RC4_128_SHA,
            SSL_RSA_WITH_3DES_EDE_CBC_SHA,
            SSL_DHE_RSA_WITH_DES_CBC_SHA,
            SSL_DHE_DSS_WITH_DES_CBC_SHA,
            SSL_RSA_WITH_DES_CBC_SHA,
            SSL_DHE_RSA_WITH_DES_CBC_SHA,
            SSL_DHE_DSS_WITH_DES_CBC_SHA,
            SSL_RSA_EXPORT_WITH_RC4_40_MD5,
            SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,
            SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
            SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
        </param-value>
    </context-param>

After modifying web.xml, repack the folders and files into mmc-agent-mule3-impl-3.3.x.jar, overwriting the original .jar file. Then, restart Mule for the changes to take effect.

Testing Ciphers

To test whether the agent accepts weak ciphers, you can use openssl, the open source toolkit for SSL and TLS.

From a terminal, run the following command:

openssl s_client -connect <host>:<port> -cipher LOW

If the agent does not accept weak ciphers, the command should return an error similar to the following:

CONNECTED(00000003)
1679:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:/SourceCache/OpenSSL098/OpenSSL098-47/src/ssl/s23_clnt.c:607: