Service Virtualization: Weak key size for TLSv1.2
search cancel

Service Virtualization: Weak key size for TLSv1.2

book

Article ID: 251607

calendar_today

Updated On:

Products

Service Virtualization

Issue/Introduction

After disabling the lower-level SSL and TLS protocols, and only using TLSv1.2 for our DevTest components, we are still failing our internal security scan. The Security team is now flagging the system with the following statement:

The increase in vulnerability is due to the weak key size for TLS1.2, and the minimum size needs to be 112 keys.

Environment

All supported DevTest releases and platforms.

Cause

The Cipher keys are determined by the Java Runtime environment.

Resolution

 The easiest way to solve this issue is to modify the DEVTEST_HOME\jre\lib\security\java.security file and change the DH keySize in jdk.tls.disabledAlgorithms to force all Ciphers to use 2048 bit keys.  By default, the DH KeySize is < 1024.

Change:

jdk.tls.disabledAlgorithms=TLSv1, SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
    EC keySize < 224, 3DES_EDE_CBC, anon, NULL

To

jdk.tls.disabledAlgorithms=TLSv1, SSLv3, RC4, DES, MD5withRSA, DH keySize < 2048, \
    EC keySize < 224, 3DES_EDE_CBC, anon, NULL, DHE

You will need to make this change on all DevTest servicer. You will need to bounce the DevTest services before the change will be in effect.

Additional Information

If you are working with a high performance, the TLS_DHE ciphers have a tendency to run slower. Therefore, you may want to manually disable them by adding them specifically to the jdk.tls.disabledAlgorithms. You can run the attached 'Supported_Java_Cipherers_v2.mar' (DevTest Test) to see what Supported Ciphers available for the JVM and then modify the java.security file to specifically not use the TLS_DHE_... Ciphers.  Note: This test uses the JRE from the DevTest Workstation machine where the test was executed. 

jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 2048, \
    EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
    TLS_DHE_DSS_WITH_AES_128_CBC_SHA, \
    TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, \
    TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, \
    TLS_DHE_DSS_WITH_AES_256_CBC_SHA, \
    TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, \
    TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, \
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA, \
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, \
    TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, \
    TLS_DHE_RSA_WITH_AES_256_CBC_SHA, \
    TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, \
    TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

 

For more information on configuring the jdk.tls.disabledAlgorithms, see Additional information on Oracle's JDK and JRE Cryptographic Algorithms

Attachments

1665093383866__Supported_Java_Ciphers_v2.mar get_app
Powered by Wolken Software