Naima Djouhri created ATLAS-349:
-----------------------------------
Summary: SSL - Atlas SSL connection has weak/unsafe Ciphers suites
Key: ATLAS-349
URL: https://issues.apache.org/jira/browse/ATLAS-349
Project: Atlas
Issue Type: Bug
Affects Versions: 0.6-incubating
Reporter: Naima Djouhri
After establishing an Atlas SSL , I wanted to see the Cipher suites of the
Atlas server.
Run the following
nmap –Pn –script ssl-cert, ssl-enum-ciphers –p 21443 localhost
Got the following results
ssl-enum-ciphers:
TLSv1.0:
ciphers:
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 1024) - E
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - C
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp160k1) - E
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp160k1) - C
TLS_ECDHE_RSA_WITH_RC4_128_SHA (secp160k1) - C
TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 512) - E
TLS_RSA_WITH_AES_128_CBC_SHA (rsa 512) - C
TLS_RSA_WITH_RC4_128_MD5 (rsa 512) - C
TLS_RSA_WITH_RC4_128_SHA (rsa 512) - C
compressors:
NULL
cipher preference: client
warnings:
Ciphersuite uses MD5 for message integrity
Weak certificate signature: SHA1
_ least strength: E
AC Address: 00:00:00:41:47:4E (Xerox)
map done: 1 IP address (1 host up) scanned in 8.75 seconds
The unsafe ciphers need to be excluded
Per jetty/Configuring/SSL/TLS documentation at the section Disabling/Enabling
specific cipher suites
http://www.eclipse.org/jetty/documentation/current/configuring-ssl.html
ExcludeCipherSuites need to be set
But since Atlas has an embedded jetty, this property need to be set to exclude
the weak/unsafe cipher suites
The Open Web Application Project (OWASP) has a nice recommendation tools for
testing for weak SSL/TLS ciphers
https://www.owasp.org/index.php/Testing_for_Weak_SSL/TLS_Ciphers,_Insufficient_Transport_Layer_Protection_%28OTG-CRYPST-001%29#Tools
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
