The Agent's listener accepts insecure ciphers
search cancel

The Agent's listener accepts insecure ciphers

book

Article ID: 412307

calendar_today

Updated On:

Products

CA Automic Workload Automation - Automation Engine

Issue/Introduction

Pen tests revealed several issues concerning the ciphers the Agent accepts:

  • RSA-based key exchange which is widely considered as insecure and should not be used anymore.
  • SHA hashing (in contrast to SHA256/SHA384) can be used which is considered not secure; it is generally strongly recommended to use SHA256 or even SHA384.
  • According to the openssl documentation the server, not the client, should decide the cipher, however it is possible to force the cipher on the client side.

 

The above can be tested with:

openssl s_client -connect <agent_server>:2300 -cipher "ALL"

This will return a cipher. When excluding that cipher with the minus option, a different cipher is proposed, e.g.:

openssl s_client -connect <agent_server>:2300 -cipher "ALL:-ECDHE-RSA-AES256-GCM-SHA384"

When excluding several secure ciphers, an insecure one is accepted, e.g.:

The below command returns the unsecure cipher: ECDHE-RSA-AES128-SHA:

openssl s_client -connect <agent_server>:2300 -cipher "ALL:-ECDHE-RSA-AES256-GCM-SHA384:-ECDHE-RSA-CHACHA20-POLY1305:-ECDHE-RSA-AES128-GCM-SHA256:-ECDHE-RSA-AES256-SHA384:-ECDHE-RSA-AES128-SHA256:-ECDHE-RSA-AES256-SHA"

In addition, the following (forcing) works as well: 

openssl s_client -connect <agent_server>:2300 -cipher "ECDHE-RSA-AES128-SHA"

With respect to the last point, when proposing 2 ciphers, the listener simply accepts the first instead of choosing the more secure one. So there is no order implemented:

openssl s_client -cipher AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384 -connect <agent_server>:2300

Cause

DE128358

Resolution

This issue has been resolved in the c-based Agents by adding the parameter 'cipher' to the Agent's ini-file to choose the cipher to be used.

Solution:

Update to a fix version listed below or a newer version if available.


Fix version:

Component(s): Unix Agent (solely C-based)

Automation.Engine 21.0.14 HF1
Automation.Engine 21.0.15
Automation.Engine 24.4.2

Note that for the Java-based Agents, this will be implemented at a later stage. Within the used Java installation, it is possible to limit the ciphers in <JDK>/lib/security/java.security

Powered by Wolken Software