Security Analyst – Jeff Soehner CISSP, GXPN,GPYC,GMOB,GCIH

The newest Java can cause some problems with your tools now that SSL is a thing of the past. Earlier this week some of the browser developers officially retired SSLv3 in favour of TLS and it has already started to cause issues. I recently upgraded to the newest Java this week only to find that my Cisco ASA interface no longer works. With Java 7 I had already added the website to the exception list in the security tab so my upgrade should have been relatively flawless as it has been throughout the 8 series of JRE. Unfortunately this was not the case…

I suspected that the self signed certificate that I created to manage the router through the Advanced Security Device Manager (ASDM) might be incompatible and as I reviewed it I see that it used SHA1 as the Signature algorithm. That should have only caused some issues if I was strictly using the browser to login but since I used the ASDM this was not the case…hmmm.

The problem was simpler than that – it seems that RC4-SHA1 was the only active algorithm being used for Configuration>Device Management>Advanced>SSL Settings on my router. Since the new Java update 1.8.51 no longer supports RC4 (Oracle and the rest of the community consider it to be weak and compromised since it can be brute forced now) you get an error when trying to connect to the ASDM if you are only using RC4. If I could add AES128-SHA1 to the list of algorithms used I would expect it to work but I cannot add it using the asdm (I got an error which is probably why I did not add it previously).

Adding the new algorithms must be done from the command line. Once I added a new cypher I was able to login again on my windows 8 machine after upgrading java. I hope this can help you resolve any issues you might have on other devices after upgrading your java runtime environment. I would encourage you to take this time to verify all of your existing web base https management portals. I suspect that we will all have a great deal of problems connecting to older systems. Its a good time to check if the vendor has a newer firmware that will support the changes (if the devices are still supported) and if not then it might be time to replace those old printers, Telco gateways, etc. Using an older device that only supports RC4 might represent risk to your organization if you have any shared username/passwords on those devices and the are breached.