Weak Cipher suite Vulnerability message in EM Log
Article ID: 430701
Updated On:
Products
Issue/Introduction
EM log is showing below vulnerability related message
WARN 8636 --- [WrapperSimpleAppMain] o.e.jetty.util.ssl.SslContextFactory.config : Weak cipher suite TLS_RSA_WITH_AES_256_GCM_SHA384 enabled for <server name>[provider=null,keyStore=<keystore filepath>]
WARN 8636 --- [WrapperSimpleAppMain] o.e.jetty.util.ssl.SslContextFactory.config : Weak cipher suite TLS_RSA_WITH_AES_128_GCM_SHA256 enabled for <server name>[provider=null,keyStore=<keystore filepath>]
WARN 8636 --- [WrapperSimpleAppMain] o.e.jetty.util.ssl.SslContextFactory.config : Weak cipher suite TLS_RSA_WITH_AES_256_CBC_SHA256 enabled for <server name>[provider=null,keyStore=<keystore filepath>]
WARN 8636 --- [WrapperSimpleAppMain] o.e.jetty.util.ssl.SslContextFactory.config : Weak cipher suite TLS_RSA_WITH_AES_128_CBC_SHA256 enabled for <server name>[provider=null,keyStore=<keystore filepath>]
Environment
EM version : 10.8.1.6
Resolution
The snippet below is from Jetty and about different weakness. This can be fixed in em-jetty-config.xml by adding <Item>^TLS_RSA_.*$</Item> to the <Set name="excludeCipherSuites"> section. E.g., the full section:
<!-- Exclude weak and obsolete cipher suits. -->
<Set name="excludeCipherSuites">
<Array type="java.lang.String">
<Item>^.*_MD\d$</Item>
<Item>^.*_NULL.*$</Item>
<Item>^.*_anon.*$</Item>
<Item>^.*_RC\d.*$</Item>
<Item>^.*_3?DES.*$</Item>
<Item>^.*_DHE.*$</Item>
<!-- SHA1 is necessary to support TLS 1.1 ciphers.
If TLS 1.1 does not need to be supported,
SHA1 can be disabled as well. -->
<Item>^.*_SHA1?$</Item>
<Item>^TLS_RSA_.*$</Item>
</Array>
In addition to above in em-jetty-config.xml and webview-jetty-config.xml will be implemented in fixes will be in the SAP release build 990823(10.8.0.229) For now can use the above steps manually.
Feedback
