ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.
Security Scan Discovered Three Vulnerabilities on Port 2010 - DevTest 10.3
Article ID: 103615
Updated On:
Products
CA Application Test
CA Continuous Application Insight (PathFinder)
Issue/Introduction
The included security report found the following vulnerabilities on Port 2010:
SSL 64-bit Block Size Cipher Suites Supported (SWEET32)
SSL/TLS Diffie-Hellman Modulus <= 1024 Bits (Logjam)
SSL Medium Strength Cipher Suites Supported
SSL 64-bit Block Size Cipher Suites Supported (SWEET32)
SSL/TLS Diffie-Hellman Modulus <= 1024 Bits (Logjam)
SSL Medium Strength Cipher Suites Supported
Cause
Cipher Suites
Environment
Release:
Component: ITKOTF
Component: ITKOTF
Resolution
Set the below value in the local.properties file of where the Registry is running.
The general idea is to start with cipher suites designed for RSA and ECDSA keys.
lisa.server.https.cipher.suites=\
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,\
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,\
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,\
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,\
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,\
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,\
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,\
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,\
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,\
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,\
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,\
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,\
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,\
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,\
TLS_DHE_RSA_WITH_AES_128_CBC_SHA,\
TLS_DHE_RSA_WITH_AES_256_CBC_SHA,\
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,\
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
For more, see https://www.feistyduck.com/library/openssl-cookbook/online/apA-ssl-tls-deployment-best-practices.html
You will need restart the Registry.
Re-did scan and this resolved the issue.
The general idea is to start with cipher suites designed for RSA and ECDSA keys.
lisa.server.https.cipher.suites=\
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,\
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,\
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,\
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,\
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,\
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,\
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,\
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,\
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,\
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,\
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,\
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,\
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,\
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,\
TLS_DHE_RSA_WITH_AES_128_CBC_SHA,\
TLS_DHE_RSA_WITH_AES_256_CBC_SHA,\
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,\
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
For more, see https://www.feistyduck.com/library/openssl-cookbook/online/apA-ssl-tls-deployment-best-practices.html
You will need restart the Registry.
Re-did scan and this resolved the issue.
Feedback
Yes
No
Powered by
