search cancel

How to block weak protocols and ciphers in NFA?

book

Article ID: 228221

calendar_today

Updated On:

Products

CA Network Flow Analysis (NetQos / NFA)

Issue/Introduction

If you wish to completely block SSLv2, SSLv3, TLS1.0, TLS 1.1 and / or any weak ciphers, please see the below.

Cause

Vulnerability scanner may flag weak protocols or ciphers allowed which could be a security issue.

Resolution

For Java processes to block weak protocols or ciphers search for: jdk.tls.disabledAlgorithms in the x:\CA\NFA\jre\lib\security\java.security file.

Add this line if it is not there already:

jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
    DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
    include jdk.disabled.namedCurves

 

For Windows processes:

Security Settings for Protection Against BEAST and Weak Diffie-Hellman Moduli