Vulnerability due to weak HMAC algorithms within the CloudProxy TLS Config
search cancel

Vulnerability due to weak HMAC algorithms within the CloudProxy TLS Config

book

Article ID: 274495

calendar_today

Updated On:

Products

DX SaaS

Issue/Introduction

Our vulnerability management system raised a vulnerability in the CloudProxy servers with the following recommended solution:

Disable any weak HMAC algorithms within the TLS configuration

The following recommended configuration provides a higher level of security. This configuration is compatible with Firefox 27, Chrome 22, IE 11, Opera 17 and Safari 9. SSLv2, SSLv3, TLSv1 and TLSv1.1 protocols are not recommended in this configuration. Instead use TLSv1.2 protocol.

Refer to your server vendor documentation to apply the recommended cipher configuration:

ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!SHA1:!DSS

FYI, on verifying the cloudproxy config the parameter is set as:

apm.server.secureprotocols:  TSLv1.2

Please advise.

 

Environment

Release :

Resolution

There are two ways to resolve this>

1) Java allows cipher suites to be removed/excluded from use in the security policy file called java.security that’s located in your JRE: $PATH/[JRE]/lib/security The jdk.tls.disabledAlgorithms property in the policy file controls TLS cipher selection.

 

Weak cipher suites can be disabled at JDK level with following properties,

  1. jdk.tls.client.protocols=TLSv1.2
  2. jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, DESede, DES, RSA keySize < 2048

 

2)  To enforce the TLS 1.3 communication between Cloud Proxy and DX APM SaaS, configure the value of 

apm.server.secureClientProtocol

  parameter to  TLSv1.2 or TLS v1.3

 Cloud proxy doesn't have any external configuration to enable/disable the cipher suites. 

The following settings resulted in a successful rescan. After rescan, the weak cypher vulnerabilities are gone.

 Protocols enabled for encrypted incoming connections (agent side)
apm.server.secureProtocols: TSLv1.2
# Protocols enabled for encrypted outgoing connections (SaaS side)
apm.server.secureClientProtocols: TSLv1.2

Powered by Wolken Software