weak DH vulnerability on site minder URL
Article ID: 185746
Updated On:
Products
CA Single Sign On Secure Proxy Server (SiteMinder)
CA Single Sign On Agents (SiteMinder)
CA Single Sign On Federation (SiteMinder)
CA Single Sign On SOA Security Manager (SiteMinder)
SITEMINDER
Issue/Introduction
We're running a CA Access Gateway (SPS) and we've found a
vulnerability in authentication when reaching
https://fedserver.mydomain.com
site.
Our vulnerability scanner reports the following vulnerability :
The Diffie-Hellman parameter's size is only 1024 bits. A longer one
must be generated to prevent Logjam vulnerability.
How can we fix that ?
Environment
CA Access Gateway (SPS) 12.52SP1;
Resolution
On CA Access Gateway (SPS), remove from the configuration the DHE
ciphers that the scanner consider non-compliant :
Default path :
/opt/CA/secure-proxy/httpd/conf/extra/httpd-ssl.conf
the ciphers are at the line :
SSLCipherSuite [...]
If you can't modify this configuration, upgrade the CA Access
Gateway (SPS) to 12.8SP3 which out of the box doesn't present those
Ciphers for SSL access :
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS:!3DES
Feedback
Yes
No
Powered by
