Vulnerability due to weak HMAC algorithms within the CloudProxy TLS Config
search cancel

Vulnerability due to weak HMAC algorithms within the CloudProxy TLS Config


Article ID: 274495


Updated On:




Our vulnerability management system raised a vulnerability in the CloudProxy servers with the following recommended solution:

Disable any weak HMAC algorithms within the TLS configuration

The following recommended configuration provides a higher level of security. This configuration is compatible with Firefox 27, Chrome 22, IE 11, Opera 17 and Safari 9. SSLv2, SSLv3, TLSv1 and TLSv1.1 protocols are not recommended in this configuration. Instead use TLSv1.2 protocol.

Refer to your server vendor documentation to apply the recommended cipher configuration:


FYI, on verifying the cloudproxy config the parameter is set as:

apm.server.secureprotocols:  TSLv1.2

Please advise.



Release :


There are two ways to resolve this>

1) Java allows cipher suites to be removed/excluded from use in the security policy file called that’s located in your JRE: $PATH/[JRE]/lib/security The jdk.tls.disabledAlgorithms property in the policy file controls TLS cipher selection.


Weak cipher suites can be disabled at JDK level with following properties,

  1. jdk.tls.client.protocols=TLSv1.2
  2. jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, DESede, DES, RSA keySize < 2048


2)  To enforce the TLS 1.3 communication between Cloud Proxy and DX APM SaaS, configure the value of 


  parameter to  TLSv1.2 or TLS v1.3

 Cloud proxy doesn't have any external configuration to enable/disable the cipher suites. 

The following settings resulted in a successful rescan. After rescan, the weak cypher vulnerabilities are gone.

 Protocols enabled for encrypted incoming connections (agent side)
apm.server.secureProtocols: TSLv1.2
# Protocols enabled for encrypted outgoing connections (SaaS side)
apm.server.secureClientProtocols: TSLv1.2