ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Penetration test complains about weak cipher

book

Article ID: 130428

calendar_today

Updated On:

Products

CA Application Performance Management Agent (APM / Wily / Introscope) INTROSCOPE

Issue/Introduction

Our security team ran a penetration test against our Wily install and the result says that Wily supports SSL Medium Strength Cipher Suites.

Description The remote host supports the use of SSL ciphers that offer medium strength encryption. Nessus regards medium strength as any encryption that uses key lengths at least 64 bits and less than 112 bits, or else that uses the 3DES encryption suite.
Note that it is considerably easier to circumvent medium strength encryption if the attacker is on the same physical network. Solution Reconfigure the affected application if possible to avoid use of medium strength ciphers.

The finding applies to the following two processes - which are the Enterprise Manager and the WebView processes:

./jre/bin/java -Xms4096m -Xmx8192m -Djava.awt.headless=true -Dmail.mime.charset=UTF-8 -Dorg.owasp.esapi.resources=./config/esapi -XX:+UseConcMarkSweepGC -XX:+UseParNewGC -Xss512k com.zerog.lax.LAX /export/appl/wilyca/Introscope10.3.0.19/5000/Introscope_Enterprise_Manager.lax /tmp/env.properties.17739 wily 17776

./jre/bin/java -Xms256m -Xmx1024m -Djava.awt.headless=true -Dorg.owasp.esapi.resources=./config/esapi -Dsun.java2d.noddraw=true -Dorg.osgi.framework.bootdelegation=org.apache.xpath com.zerog.lax.LAX /export/appl/wilyca/Introscope10.3.0.19/5000/Introscope_WebView.lax /tmp/env.properties.17776 

The following ciphersuites shows up in security report.
DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, ECDHE-RSA-DES-CBC3-SHA

How to disable above ciphersuites within Enterprise Manager and WebView?

Environment

Release:
Component: APMISP

Resolution

We have tried following setting jdk.tls.disabledAlgorithms in file <EM-WV-Home>/jre/lib/security/java.security on 10.3.0.19:
dk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, ECDHE-RSA-DES-CBC3-SHA
and it did not work.
We tried following setting:
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, DES, DESede
Compared to original values in file: jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768
We only added: DES, DESede
And it helped to remove all ciphers with 3DES (also named DES-EDE or DES-CBC3 in various contexts).
We tested that this setting is correctly applied with cipherscan that reports all ciphers suites that are available for connecting:
https://github.com/mozilla/cipherscan
We suggest to test with following.
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, DES, DESede