ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

List of vulnerabilities for DevTest services


Article ID: 111791


Updated On:


CA Application Test Service Virtualization


As part of security verification, devtest instances were scanned for any OS vulnerabilities and raised the following issues related to DevTest services.

#1. Java Deserialization Vulnerability Detected tcp over ssl 
#2. Java SSL KeyStore Password Disclosure Vulnerability
#3. Birthday attacks against TLS ciphers with 64bit block size vulnerability (Sweet32) tcp over ssl CVE-2016-2183 
#4. SSL/TLS Server supports TLSv1.0 tcp over ssl 




All supported DevTest environments


The below settings should resolve these 4 concerns that are listed above.  

1) In all of the  VMOptions files (e.g., Registry.vmoptions, Simulator.vmoptions, etc.)
put this in:  -Dhttps.protocols=TLSv1.2  or -Dhttps.protocols=TLSv1.2,TLSv1.1

This will "disable" TLSv1, SSLv3 and, optionally, TLSv1.1, which have known vulnerabilities.  TLSv1.2 is the strongest SSL protocol currently supported (TLSv1.3 was only just released by IETF (Internet Engineering Task Force (IETF)); I don't know of any implementations that are available yet; its not something we provide).  

2) In their or, add this:


1.The "RSA+EXPORT" ciphers are supported;
2.The size of the RSA public key in certificate is not stronger than 1024;
3.The temporary RSA key size is less than 1024;
4.The temporary RSA key is stable(used multiple times);

Besides adding a list of accepted cipher suites to, the file can be updated, too. There may be two files they need to touch: one's in DevTestHome\jre\lib\security\ and one's in JAVA_HOME/jre/lib/security. Once both those files are found, apply these changes: 

If you want to set which TLS will be used, you can do it in the same file via property jdk.tls.client.protocols. 

Let’s say, we want to use only TLSv1.2 and only A (strong) grade cipher suites. 

* jdk.tls.client.protocols=TLSv1.2 
* jdk.tls.disabledAlgorithms=TLSv1, MD5, SSLv3, DSA, DESede, DES, RSA keySize < 2048 

Note to disabled algorithms: DESede and DES are disabled to disable 3DES. RSA keySize <2048, this will disable all RSA with 2048 and less bits. 


Additional Information

We are limited to what ciphers the JVM supports, For more information on how to configure the security of the Oracle JDK and JRE see

The following knowledge base article discusses the 'lisa.server.https.cipher.suites' property:

DevTest Documentation can be found at: