Veraacode scan of Spectrum raises the following vulnerability:
CWE-296: Improper Following of a Certificate's Chain of Trust
How can this be mitigated against?
DX NetOps Spectrum 23.3.x
Modify the $SPECROOT/tomcat/conf/server.xml
on the Spectrum OneClick server and set the following in the in the <Connector>
section for https
:
certificateVerification="required"
For example:
<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
<Connector
port="8443"
URIEncoding="UTF-8" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25"
enableLookups="true" disableUploadTimeout="true" tcpNoDelay="true"
acceptCount="100" connectionTimeout="20000"
scheme="https" secure="true" SSLEnabled="true"
clientAuth="false" sslProtocol="TLS"
sslEnabledProtocols="TLSv1.2,TLSv1.3"
ciphers="TLS_AES_128_GCM_SHA256,
TLS_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256"
keystoreFile=custom/keystore/cacerts"
keystorePass="changeit"
certificateVerification="required"/>
After which, restart the Spectrum tomcat service for it to take effect.