vAapp is installed with the insecure ciphers:
20390 | Diffie-Hellman group smaller than 2048 bits | * The following SSL/TLS cipher suites use Diffie-Hellman a prime modulus smaller than 2048 bits: * TLS 1.2 ciphers: * TLS_DHE_RSA_WITH_AES_128_CBC_SHA with a Diffie-Hellman prime modulus of 1024 bits * TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 with a Diffie-Hellman prime modulus of 1024 bits * TLS_DHE_RSA_WITH_AES_256_CBC_SHA with a Diffie-Hellman prime modulus of 1024 bits * TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 with a Diffie-Hellman prime modulus of 1024 bits * TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA with a Diffie-Hellman prime modulus of 1024 bits * TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA with a Diffie-Hellman prime modulus of 1024 bits * TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 with a Diffie-Hellman prime modulus of 1024 bits * TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 with a Diffie-Hellman prime modulus of 1024 bits |
The insecure ciphers are shown in the output of the following command:
nmap -sV -p 20390 --script ssl-enum-ciphers <IP address>
The documents below are applicable:
Still they do not completely clarify how to disable the above ciphers.
Release : 14.4
1. The following format should work for IMPS listening on port 20390:
Append the following string to the value of "TLSCipherSuite" in im_ps.conf
":-DHE-RSA-AES128-SHA:-DHE-RSA-AES128-SHA256:-DHE-RSA-AES128-GCM-SHA256:-DHE-RSA-AES256-GCM-SHA384:-DHE-RSA-AES256-SHA:-DHE-RSA-AES256-SHA256:-DHE-RSA-CAMELLIA128-SHA:-DHE-RSA-CAMELLIA256-SHA"
Alternatively, append ":!DHE" to disable all DHE algorithms.
You should restart the service for the changes to take effect.
2. A separate option is available if you want JCS to be changed:
Open the java.security or java.conf file and add the following line to it
-for Stadalone Server: Open ConnectorServer/jvm/lib/security/java.security
-for Vapp: Open /opt/CA/VirtualAppliance/custom/java.conf
jdk.tls.disabledAlgorithms= TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL
Add the following line to the /opt/CA/IdentityManager/ConnectorServer/data/jvm_options.conf:
-Djava.security.properties=<path to the java.conf or java.security>
For example: -server -Xms128M -Xmx1024M -Djava.awt.headless=true -Dcom.sun.management.jmxremote -Djavax.net.debug=all -Djava.security.properties=/opt/CA/VirtualAppliance/custom/java.conf
Restart the JCS service
3. Always maintain the latest cumulative patch installed.