As part of security verification, devtest instances were scanned for any OS vulnerabilities and raised the following issues related to DevTest services.

#1. Java Deserialization Vulnerability Detected tcp over ssl 
#2. Java SSL KeyStore Password Disclosure Vulnerability
#3. Birthday attacks against TLS ciphers with 64bit block size vulnerability (Sweet32) tcp over ssl CVE-2016-2183 
#4. SSL/TLS Server supports TLSv1.0 tcp over ssl 

All supported DevTest environments

Vulnerability

The below settings should resolve these 4 concerns that are listed above.  

1) In all of the  VMOptions files (e.g., Registry.vmoptions, Simulator.vmoptions, etc.) add:
-Dhttps.protocols=TLSv1.2  or -Dhttps.protocols=TLSv1.2,TLSv1.1

This will "disable" TLSv1, SSLv3 and, optionally, TLSv1.1, which have known vulnerabilities.  TLSv1.2 is the strongest SSL protocol currently supported (TLSv1.3 was only just released by IETF and we do not provide this yet).  

2) In site.properties or local.properties, add:

lisa.server.https.cipher.suites=TLS_DHE_RSA_WITH_AES_128_CBC_SHA,\
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,\
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,\
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,\
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,\
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,\
TLS_RSA_WITH_AES_128_CBC_SHA,\
TLS_RSA_WITH_AES_128_CBC_SHA256,\
TLS_RSA_WITH_AES_128_GCM_SHA256,\


1.The "RSA+EXPORT" ciphers are supported;
2.The size of the RSA public key in certificate is not stronger than 1024;
3.The temporary RSA key size is less than 1024;
4.The temporary RSA key is stable(used multiple times);

Besides adding a list of accepted cipher suites to local.properties, the java.security file can be updated, too. There may be two java.security files they need to touch: one's in DevTestHome\jre\lib\security\ and one's in JAVA_HOME/jre/lib/security. Once both those files are found, apply these changes: 


If you want to set which TLS will be used, you can do it in the same file via property jdk.tls.client.protocols. 

Let’s say, we want to use only TLSv1.2 and only A (strong) grade cipher suites. 

* jdk.tls.client.protocols=TLSv1.2 
* jdk.tls.disabledAlgorithms=TLSv1, MD5, SSLv3, DSA, DESede, DES, RSA keySize < 2048 


Note to disabled algorithms: DESede and DES are disabled to disable 3DES. RSA keySize <2048, this will disable all RSA with 2048 and less bits. 

 

We are limited to what ciphers the JVM supports, For more information on how to configure the security of the Oracle JDK and JRE see https://www.java.com/en/configure_crypto.html.

The following knowledge base article discusses the 'lisa.server.https.cipher.suites' property: https://knowledge.broadcom.com/external/article?articleId=144183

DevTest Documentation can be found at: https://techdocs.broadcom.com/us/en/ca-enterprise-software/devops/devtest-solutions/10-5/reference/property-descriptions/custom-property-files/local-properties-file.html#concept.dita_3f01127616df0b8bb3296906a21a3df06a484f00_SSLProperties