To Remediate Vulnerability "Birthday Attacks Against TLS Ciphers With 64bit Block Size" Vulnerability
Article ID: 8985
Updated On:
Products
Issue/Introduction
"Birthday attacks against TLS ciphers with 64bit block size vulnerability (Sweet32)" in our XML gateway servers.
CVE-2016-2183
Even after applying the latest monthly platform patch our security scans indicate we are susceptible to this vulnerability.
Environment
API Gateway 9.2 / API Gateway 8.4
Cause
Caused by having DES ciphers in place on the gateway listen ports.
Resolution
For port 8443 or any other port that the customer has configured a listening port for, you can edit the cipher list.
From Policy Manager's Task menu -> Transports -> Manager Listen Port -> Select port 8443 or any other HTTPS protocol port that customer would like to configure -> Click Properties -> SSL/TSL Settings tab -> Unselect last six or so ciphers that has "DES" in them
DES option was left in for customers wanting to maintain legacy client support. Turning off DES ciphers should make the scan result much cleaner for the customer.
Feedback
