Topic
2 replies Latest Post - ‏2012-08-27T21:01:20Z by SystemAdmin
KirkBeaty
KirkBeaty
4 Posts
ACCEPTED ANSWER

Pinned topic Vulnerability Scan Exceptions with https config -- Weak Cipher session Keys

‏2012-08-08T15:42:37Z |
Have this in zero.config:

/config/https/port = 81
/config/https/sslconfig = {
"keyStore" : "config/keystore",
"keyStorePassword" : "<xor>PD4ybG1uPjsyNjE=",
"keyStoreType" : "JKS"
}

Corporate vulnerability scans report the vulnerability shown below.

They of course show ways to deal with other types of Web servers, but nothing for sMash. And unclear to me what I can do with my sMash server setup to avoid this problem.

Any input is appreciated!
Kirk
The host supports weak cipher session keys when negotiating communications using the SSL protocol.

INFO:

Netscape's Secure Sockets Layer (SSL) protocol provides privacy between two applications (a client and a server) that communicate over an untrusted network.

An SSL session is encrypted using ciphers. SSL protocol supports several cipher suites, each providing a different level of security. SSL protocol permits the server to support some/all of these cipher suites and during the initial SSL session setup stage, it allows the client to pick the cipher suite to be used for that session. The hosts use certificates and public and private session keys in order to securely negotiate the cipher suite to be used.

This check does not evaluate the strength of Public or Private Key Certificates but only the strength of the ciphers supported by the server to establish sessions over which the data is exchanged between server and client.

A vulnerable host will support the use of a cipher with a key strength below 128 bits. This does not necessarily mean that the host is configured to actively use the weak cipher.
General Fix:
Enforce the use of 128-bit SSL keys. This refers to SECRET KEY CIPHERS and not public key algorithms which are typically 1024 bits and higher. This may not be possible in all situations because keys distributed by some vendors use 40 bits. This includes certificates from organizations such as Verisign. When configuring communications using SSL, use the highest key strength possible.

Disable ciphers which support cleartext communication.
Updated on 2012-08-27T21:01:20Z at 2012-08-27T21:01:20Z by SystemAdmin
  • KirkBeaty
    KirkBeaty
    4 Posts
    ACCEPTED ANSWER

    Re: Vulnerability Scan Exceptions with https config -- Weak Cipher session Keys

    ‏2012-08-20T14:51:42Z  in response to KirkBeaty
    Anyone with help on this one ?
    • SystemAdmin
      SystemAdmin
      9224 Posts
      ACCEPTED ANSWER

      Re: Vulnerability Scan Exceptions with https config -- Weak Cipher session Keys

      ‏2012-08-27T21:01:20Z  in response to KirkBeaty
      My sMASH SSL used the following setup:

      My zero.config
      1. HTTP certificate (self-contained) and SSL setup,
      /config/https/port = 443
      /config/https/sslconfig = {
      "keyStore": "./config/key.jks",
      "keyStorePassword": "<xor>xyzxyzxyz==",
      "keyStoreType": "JKS"
      }

      The Firefox shows SSL connectints with:
      Connection Encrypted: High-grade Encryption (RC-4,128 bits key)

      Im using Offical certicates from the GEOTrust CA company wich now runs with 2048 key length manually imported into the keystore by use of a Java console command, below an example:

      Request:
      java com.ibm.gsk.ikeyman.ikeycmd -certreq -create -label cobd2011 -dn "CN=cobd.pok.ibm.com,O=IBM,OU=IBM COBmail Server,L=POK,ST=NY,C=US" -size 2048 -file certreq2011long.arm -db key.jks -pw ...... -type jks

      Receive:
      java com.ibm.gsk.ikeyman.ikeycmd -cert -receive -file cobd_cert2011.crt -db key.jks -pw ..... -type jks

      Add CA:
      java com.ibm.gsk.ikeyman.ikeycmd -cert -add -file cobd_cert2011_ca.crt -db key.jks -pw ..... -type jks jks

      Hope this is somehow useful.

      Regards, Claude