We have received a report of a vulnerability on VNA server:
Change the SSL/TLS server configuration to only allow strong key exchanges.
Key exchanges should provide at least 112 bits of security, which translates to a minimum key size of 2048 bits for Diffie Hellman and RSA key exchanges.
Release : 22.2.5 and older
Please follow below instruction to execute the command with root privilege.
.
.
[[email protected] ~]# whoami
root
[[email protected] ~]# cd /opt/CA/VNA/wildfly/bin/
[[email protected] bin]# ./jboss-cli.sh
You are disconnected at the moment. Type 'connect' to connect to the server or 'help' for the list of supported commands.
[disconnected /] connect
Unable to connect due to unrecognised server certificate
Subject - CN=trond-team-vna,OU=Broadcom,O=Support,L=Portsmouth,ST=NH,C=US
Issuer - CN=DX NetOps Edu Intermediate
Valid From - Thu Dec 15 19:07:20 UTC 2022
Valid To - Fri Dec 15 19:07:19 UTC 2023
MD5 : be:b5:13:71:25:bd:fe:11:22:74:56:53:86:04:07:7f
SHA1 : f4:a1:79:64:0c:5f:78:64:84:5f:59:dd:ee:79:1b:a8:d1:d5:a3:c9
Subject - CN=DX NetOps Edu Intermediate
Issuer - CN=DX NetOps Edu Cert Authority
Valid From - Wed Dec 07 16:31:30 UTC 2022
Valid To - Tue Dec 02 16:31:02 UTC 2042
MD5 : d0:9b:89:03:36:8b:10:ec:f7:f0:0b:6d:b9:25:8f:65
SHA1 : 6d:6d:c1:f9:f8:e4:a5:98:a9:bb:0d:ae:44:6f:cd:88:97:6d:88:67
Subject - CN=DX NetOps Edu Cert Authority
Issuer - CN=DX NetOps Edu Cert Authority
Valid From - Wed Dec 07 16:31:03 UTC 2022
Valid To - Tue Dec 02 16:31:02 UTC 2042
MD5 : 20:58:fe:09:68:be:03:d5:3a:aa:f2:b6:9c:72:48:20
SHA1 : 65:03:c1:be:d0:d4:e6:e4:7c:97:89:ca:06:ec:c2:18:be:40:2e:9a
Accept certificate? [N]o, [T]emporarily, [P]ermanently : P
[[email protected]:9993 /] /subsystem=elytron/server-ssl-context=applicationSSC:write-attribute(name=cipher-suite-filter,value="ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-CHACHA20-POLY1305,ECDHE-RSA-CHACHA20-POLY1305")
"outcome" => "success",
"response-headers" => {
"operation-requires-reload" => true,
"process-state" => "reload-required"
}
}
[[email protected]:9993 /] exit
[[email protected] bin]# systemctl restart wildfly
.
You only have to accept the jboss certs the first time the console is used, so you may not see that part.