Weak Cipher Suite Warning
search cancel

Weak Cipher Suite Warning

book

Article ID: 259314

calendar_today

Updated On:

Products

CA Application Performance Management (APM / Wily / Introscope)

Issue/Introduction

I am getting the following WARN in WebView Console logs:

[WARN] [org.eclipse.jetty.util.ssl.SslContextFactory.config] Weak cipher suite TLS_RSA_WITH_AES_128_CBC_SHA enabled for Server@388ffbc2[provider=null,keyStore=file:///apps/Broadcom/Introscope10.8.0/config/internal/server/keystore,trustStore=file:///apps/Broadcom/Introscope10.8.0/config/internal/server/keystore]

 

Environment

Release : 10.8

Resolution

Did you make the needed change in 

Webview.jetty.config? 

<Set name="excludeCipherSuites">

It would be something like 

 setExcludeCipherSuites("^TLS_RSA_.*$"); This is not recommended since too broad.

OR 

 setExcludeCipherSuites("^TLS_RSA_WITH_AES_128_CBC_SHA.*$");

Depends how specific or broad you want to be. Placing case in verify since a solution was given

Await your update

 

______________

I’ve added the following weak ciphers to be excluded…

 

                    <!-- Exclude weak and obsolete cipher suits. -->

                    <Set name="excludeCipherSuites">

                      <Array type="java.lang.String">

                        <Item>^.*_MD\d$</Item>

                        <Item>^.*_NULL.*$</Item>

                        <Item>^.*_anon.*$</Item>

                        <Item>^.*_RC\d.*$</Item>

                        <Item>^.*_3?DES.*$</Item>

                        <Item>^.*_DHE.*$</Item>

                        <Item>^.*TLS_RSA_WITH_AES_128_CBC_SHA.*$</Item>

                        <Item>^.*TLS_RSA_WITH_AES_256_CBC_SHA.*$</Item>

                        <Item>^.*TLS_RSA_WITH_AES_128_GCM_SHA256.*$</Item>

                        <Item>^.*TLS_RSA_WITH_AES_256_GCM_SHA384.*$</Item>

                        <Item>^.*TLS_RSA_WITH_AES_256_CBC_SHA256.*$</Item>

                        <Item>^.*TLS_ECDH_RSA_WITH_AES_128_CBC_SHA.*$</Item>

                        <Item>^.*TLS_ECDH_RSA_WITH_AES_256_CBC_SHA.*$</Item>

                        <Item>^.*TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA.*$</Item>

                        <Item>^.*TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA.*$</Item>

                        <Item>^.*TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA.*$</Item>

                        <Item>^.*TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA.*$</Item>

                        <Item>^.*TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA.*$</Item>

                        <Item>^.*TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA.*$</Item>

                        <!-- SHA1 is necessary to support TLS 1.1 ciphers.

                             If TLS 1.1 does not need to be supported,

                             SHA1 can be disabled as well. -->

                        <!-- Item>^.*_SHA1?$</Item -->

                      </Array>

And then,  restarted Webview. Now the logs are no longer showing me those WARN as mentioned in my previous email. 

 

Powered by Wolken Software