affwebserv.log reporting Invalid SSL cipher TLS_ECDHE_ECDSA_With_AES_256_GCM_SHA384 configured in SSLCipherConfi g.properties.
search cancel

affwebserv.log reporting Invalid SSL cipher TLS_ECDHE_ECDSA_With_AES_256_GCM_SHA384 configured in SSLCipherConfi g.properties.

book

Article ID: 252640

calendar_today

Updated On:

Products

SITEMINDER VIP Authentication Hub CA Single Sign On Secure Proxy Server (SiteMinder)

Issue/Introduction

affwebserv.log has the following messages repeating.

[1234/5678][Fri Oct 21 2022 12:34:56.001][SSLConfigurationHelper][WARNING][sm-Srca-00028] Invalid SSL cipher TLS_ECDHE_ECDSA_With_AES_256_GCM_SHA384 configured in SSLCipherConfig.properties.
[1234/5678][Fri Oct 21 2022 12:34:56.001][SSLConfigurationHelper][WARNING][sm-Srca-00024] Configured cipher TLS_RSA_With_AES_256_CBC_SHA256 is unsafe and vulnerable to attack.  Consider removing the cipher from SSLCipherConfig.properties and use only GCM mode ciphers.

 

Environment

Release : 12.8.06 Build 2824

Cause

The Cipher string is case sensitive.

Resolution

Following is the SSLCipher in the "{SPS}/Tomcat/webapps/affwebservices/WEB-INF/classes/SSLCipherConfig.properties"

SSLCiphers=TLS_ECDHE_ECDSA_With_AES_256_GCM_SHA384:TLS_ECDHE_RSA_With_AES_256_GCM_SHA384:TLS_ECDHE_ECDSA_With_AES_128_GCM_SHA256:TLS_ECDHE_RSA_With_AES_128_GCM_SHA256:TLS_DHE_RSA_With_AES_256_GCM_SHA384:TLS_DHE_DSS_With_AES_256_GCM_SHA384:TLS_RSA_With_AES_256_GCM_SHA384:TLS_DHE_RSA_With_AES_128_GCM_SHA256:TLS_DHE_DSS_With_AES_128_GCM_SHA256:TLS_RSA_With_AES_128_GCM_SHA256:TLS_RSA_With_AES_256_CBC_SHA256:TLS_RSA_With_AES_128_CBC_SHA256:TLS_RSA_With_AES_256_CBC_SHA:TLS_RSA_With_AES_128_CBC_SHA

If you look at the cipher string, it has "With" which is not correct.

Please perform the following.

0. Backup "{SPS}/Tomcat/webapps/affwebservices/WEB-INF/classes/SSLCipherConfig.properties"
1. Stop both "CA Access Gateway Engine" and "CA Access Gateway Proxy" services.
2. Update "{SPS}/Tomcat/webapps/affwebservices/WEB-INF/classes/SSLCipherConfig.properties"
3. Start both "CA Access Gateway Engine" and "CA Access Gateway Proxy" services.

Following is a sample cipher that need to be updated.
Perform this to all 10 ciphers that were reported to be invalid.

SSLCiphers from
"TLS_ECDHE_ECDSA_With_AES_256_GCM_SHA384"
to
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384".

 

Now the 4 weak ciphers can be removed from the SSLCiphers.

TLS_RSA_With_AES_256_CBC_SHA256:TLS_RSA_With_AES_128_CBC_SHA256:TLS_RSA_With_AES_256_CBC_SHA:TLS_RSA_With_AES_128_CBC_SHA

Additional Information

The "{SPS}/Tomcat/webapps/affwebservices/WEB-INF/classes/SSLCipherConfig.properties" is used when the Access Gateway acts as a web client.

For example, when SPS is contacting VIP AuthHub, the SSL handshake need to be performed and that is where this WARNING gets logged.

Powered by Wolken Software