CA Single Sign On Secure Proxy Server (SiteMinder)CA Single Sign On Agents (SiteMinder)CA Single Sign On Federation (SiteMinder)CA Single Sign On SOA Security Manager (SiteMinder)SITEMINDER
Issue/Introduction
We're running a CA Access Gateway (SPS) and we've found a vulnerability in authentication when reaching
https://fedserver.mydomain.com
site.
Our vulnerability scanner reports the following vulnerability :
The Diffie-Hellman parameter's size is only 1024 bits. A longer one must be generated to prevent Logjam vulnerability.
How can we fix that ?
Environment
CA Access Gateway (SPS) 12.52SP1;
Resolution
On CA Access Gateway (SPS), remove from the configuration the DHE ciphers that the scanner consider non-compliant :
If you can't modify this configuration, upgrade the CA Access Gateway (SPS) to 12.8SP3 which out of the box doesn't present those Ciphers for SSL access :