How to Avoid using Medium Strength SSL Cipher Suites in EEM, as these may be considered a Vulnerability

book

Article ID: 36522

calendar_today

Updated On:

Products

EMBEDDED ENTITLEMENTS MGR

Issue/Introduction

ISSUE:
 
Customer runs security check on the environment and finds the following Vulnerabilities.
 
Cause
Vulnerability: SSL Medium Strength Cipher Suites Supported
 
Environment: 
Reconfigure the affected application if possible to avoid use of medium strength ciphers.
 
  • CertRef:  Tool Reference:
             NessusOutput:
 
  • Port: 509/tcp
 
Here is the list of medium strength SSL ciphers supported by the remote server :
 
Medium Strength Ciphers (>= 56-bit and < 112-bit key)
 
TLSv1
EDH-RSA-DES-CBC-SHA          Kx=DH          Au=RSA      Enc=DES-CBC(56)
Mac=SHA1
DES-CBC-SHA                  Kx=RSA         Au=RSA      Enc=DES-CBC(56)
Mac=SHA1
 
  • The fields above are : 
  {OpenSSL ciphername}
  Kx={key exchange}
  Au={authentication}
  Enc={symmetric encryption method}
  Mac={message authentication code}
  {export flag}
 
 
This change will make sure that the DES ciphers will not be used while communicating with CA Directory.
 
Resolution:
To resolve this issue, please do the following: 
  1. Please open the file itechpoz.dxc file under: $DXHOME/config/ssld/itechpoz.dxc.
  2. Add: cipher = "kEDH:ALL:!ADH:!DES:!LOW:!EXPORT40:+SSLv2:@STRENGTH"
  3. You can check the default.dxc in the same folder to check for the cipher field which is commented by default.
  4. Before making the above change, please stop the dxserver and then start after making the above change.

Environment

Release:
Component: ETEIAM