weak DH vulnerability on site minder URL

book

Article ID: 185746

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction


We're running a CA Access Gateway (SPS) and we've found a

vulnerability in authentication when reaching

  https://fedserver.mydomain.com 

site.

Our vulnerability scanner reports the following vulnerability :

  The Diffie-Hellman parameter's size is only 1024 bits. A longer one
  must be generated to prevent Logjam vulnerability.

How can we fix that ?

Environment


CA Access Gateway (SPS) 12.52SP1;

Resolution


On CA Access Gateway (SPS), remove from the configuration the DHE

ciphers that the scanner consider non-compliant :

  Default path :
  
  /opt/CA/secure-proxy/httpd/conf/extra/httpd-ssl.conf

  the ciphers are at the line :

  SSLCipherSuite [...]

If you can't modify this configuration, upgrade the CA Access
Gateway (SPS) to 12.8SP3 which out of the box doesn't present those
Ciphers for SSL access :

  SSLCipherSuite  ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS:!3DES