Service Virtualization: Weak key size for TLSv1.2
search cancel

Service Virtualization: Weak key size for TLSv1.2

book

Article ID: 251607

calendar_today

Updated On: 03-12-2025

Products

Service Virtualization

Issue/Introduction

After disabling the lower-level SSL and TLS protocols, and only using TLSv1.2 for DevTest components, still failing in the internal security scan. The Security team is now flagging the system with the following statement:

The increase in vulnerability is due to the weak key size for TLS1.2, and the minimum size needs to be 112 keys.

Environment

All supported DevTest releases.

Cause

The Cipher keys are determined by the Java Runtime environment.

Resolution

For 10.7.2 with/without HotFix and Service Packs , the easiest way to solve this issue is to modify the DEVTEST_HOME\jre\lib\security\java.security file and change the DH keySize in jdk.tls.disabledAlgorithms as below to force all Ciphers to use 2048 bit keys.  By default, the DH KeySize is < 1024.

jdk.tls.disabledAlgorithms=TLSv1, SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
    EC keySize < 224, 3DES_EDE_CBC, anon, NULL
To
jdk.tls.disabledAlgorithms=TLSv1, SSLv3, RC4, DES, MD5withRSA, DH keySize < 2048, \
    EC keySize < 224, 3DES_EDE_CBC, anon, NULL, DHE

Need to make the above change on all DevTest servers and bounce the DevTest services before the change will be in effect.

For 10.8 and up, modify the DEVTEST_HOME\jre\conf\security\java.security file and do the above changes. 

Additional Information

When working with a high performance, the TLS_DHE ciphers have a tendency to run slower. Therefore, need to manually disable them by adding them specifically to the jdk.tls.disabledAlgorithms. Run the attached 'Supported_Java_Cipherers_v2.mar' (DevTest Test) to see what Supported Ciphers available for the JVM and then modify the java.security file to specifically not use the TLS_DHE_... Ciphers.  Note: This test uses the JRE from the DevTest Workstation machine where the test is executed. 

jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 2048, \
    EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
    TLS_DHE_DSS_WITH_AES_128_CBC_SHA, \
    TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, \
    TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, \
    TLS_DHE_DSS_WITH_AES_256_CBC_SHA, \
    TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, \
    TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, \
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA, \
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, \
    TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, \
    TLS_DHE_RSA_WITH_AES_256_CBC_SHA, \
    TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, \
    TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

For more information on configuring the jdk.tls.disabledAlgorithms, see Additional information on Oracle's JDK and JRE Cryptographic Algorithms

Attachments

1665093383866__Supported_Java_Ciphers_v2.mar get_app
Powered by Wolken Software