[
https://issues.apache.org/jira/browse/AMBARI-22533?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Rohit Rai Malhotra updated AMBARI-22533:
----------------------------------------
Description:
List of weak ciphers and protocols by default:
Vulnerable connection combinations :
SSL/TLS version : TLSv1.2
Cipher suite : TLS1_DHE_RSA_WITH_AES_128_CBC_SHA256
Diffie-Hellman MODP size (bits) : 1024
Warning - This is a known static Oakley Group2 modulus. This may make
the remote host more vulnerable to the Logjam attack.
Logjam attack difficulty : Hard (would require nation-state resources)
SSL/TLS version : TLSv1.2
Cipher suite : TLS1_CK_DHE_RSA_WITH_3DES_EDE_CBC_SHA
Diffie-Hellman MODP size (bits) : 1024
Warning - This is a known static Oakley Group2 modulus. This may make
the remote host more vulnerable to the Logjam attack.
Logjam attack difficulty : Hard (would require nation-state resources)
SSL/TLS version : TLSv1.2
Cipher suite : TLS1_CK_DHE_RSA_WITH_AES_128_CBC_SHA
Diffie-Hellman MODP size (bits) : 1024
Warning - This is a known static Oakley Group2 modulus. This may make
the remote host more vulnerable to the Logjam attack.
Logjam attack difficulty : Hard (would require nation-state resources)
SSL/TLS version : TLSv1.1
Cipher suite : TLS1_CK_DHE_RSA_WITH_3DES_EDE_CBC_SHA
Diffie-Hellman MODP size (bits) : 1024
Warning - This is a known static Oakley Group2 modulus. This may make
the remote host more vulnerable to the Logjam attack.
Logjam attack difficulty : Hard (would require nation-state resources)
SSL/TLS version : TLSv1.1
Cipher suite : TLS1_CK_DHE_RSA_WITH_AES_128_CBC_SHA
Diffie-Hellman MODP size (bits) : 1024
Warning - This is a known static Oakley Group2 modulus. This may make
the remote host more vulnerable to the Logjam attack.
Logjam attack difficulty : Hard (would require nation-state resources)
SSL/TLS version : TLSv1.0
Cipher suite : TLS1_CK_DHE_RSA_WITH_3DES_EDE_CBC_SHA
Diffie-Hellman MODP size (bits) : 1024
Warning - This is a known static Oakley Group2 modulus. This may make
the remote host more vulnerable to the Logjam attack.
Logjam attack difficulty : Hard (would require nation-state resources)
SSL/TLS version : TLSv1.0
Cipher suite : TLS1_CK_DHE_RSA_WITH_AES_128_CBC_SHA
Diffie-Hellman MODP size (bits) : 1024
Warning - This is a known static Oakley Group2 modulus. This may make
the remote host more vulnerable to the Logjam attack.
Logjam attack difficulty : Hard (would require nation-state resources)
Here is the list of medium strength SSL ciphers supported by the remote server :
Medium Strength Ciphers (> 64-bit and < 112-bit key, or 3DES)
DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES-CBC(168) Mac=SHA1
The fields above are :
{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code} {export flag}
was:
Below is the list of week ciphers and protocols which can be disabled by
default from Ambari:
Vulnerable connection combinations :
SSL/TLS version : TLSv1.2
Cipher suite : TLS1_DHE_RSA_WITH_AES_128_CBC_SHA256
Diffie-Hellman MODP size (bits) : 1024
Warning - This is a known static Oakley Group2 modulus. This may make
the remote host more vulnerable to the Logjam attack.
Logjam attack difficulty : Hard (would require nation-state resources)
SSL/TLS version : TLSv1.2
Cipher suite : TLS1_CK_DHE_RSA_WITH_3DES_EDE_CBC_SHA
Diffie-Hellman MODP size (bits) : 1024
Warning - This is a known static Oakley Group2 modulus. This may make
the remote host more vulnerable to the Logjam attack.
Logjam attack difficulty : Hard (would require nation-state resources)
SSL/TLS version : TLSv1.2
Cipher suite : TLS1_CK_DHE_RSA_WITH_AES_128_CBC_SHA
Diffie-Hellman MODP size (bits) : 1024
Warning - This is a known static Oakley Group2 modulus. This may make
the remote host more vulnerable to the Logjam attack.
Logjam attack difficulty : Hard (would require nation-state resources)
SSL/TLS version : TLSv1.1
Cipher suite : TLS1_CK_DHE_RSA_WITH_3DES_EDE_CBC_SHA
Diffie-Hellman MODP size (bits) : 1024
Warning - This is a known static Oakley Group2 modulus. This may make
the remote host more vulnerable to the Logjam attack.
Logjam attack difficulty : Hard (would require nation-state resources)
SSL/TLS version : TLSv1.1
Cipher suite : TLS1_CK_DHE_RSA_WITH_AES_128_CBC_SHA
Diffie-Hellman MODP size (bits) : 1024
Warning - This is a known static Oakley Group2 modulus. This may make
the remote host more vulnerable to the Logjam attack.
Logjam attack difficulty : Hard (would require nation-state resources)
SSL/TLS version : TLSv1.0
Cipher suite : TLS1_CK_DHE_RSA_WITH_3DES_EDE_CBC_SHA
Diffie-Hellman MODP size (bits) : 1024
Warning - This is a known static Oakley Group2 modulus. This may make
the remote host more vulnerable to the Logjam attack.
Logjam attack difficulty : Hard (would require nation-state resources)
SSL/TLS version : TLSv1.0
Cipher suite : TLS1_CK_DHE_RSA_WITH_AES_128_CBC_SHA
Diffie-Hellman MODP size (bits) : 1024
Warning - This is a known static Oakley Group2 modulus. This may make
the remote host more vulnerable to the Logjam attack.
Logjam attack difficulty : Hard (would require nation-state resources)
Here is the list of medium strength SSL ciphers supported by the remote server :
Medium Strength Ciphers (> 64-bit and < 112-bit key, or 3DES)
DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES-CBC(168) Mac=SHA1
The fields above are :
{OpenSSL ciphername}
Kx=
{key exchange}
Au=
{authentication}
Enc=
{symmetric encryption method}
Mac=
{message authentication code} {export flag}
> Disable Week cipher and protocols from Ambari by default
> --------------------------------------------------------
>
> Key: AMBARI-22533
> URL: https://issues.apache.org/jira/browse/AMBARI-22533
> Project: Ambari
> Issue Type: Bug
> Components: ambari-server
> Reporter: Rohit Rai Malhotra
> Priority: Minor
>
> List of weak ciphers and protocols by default:
> Vulnerable connection combinations :
> SSL/TLS version : TLSv1.2
> Cipher suite : TLS1_DHE_RSA_WITH_AES_128_CBC_SHA256
> Diffie-Hellman MODP size (bits) : 1024
> Warning - This is a known static Oakley Group2 modulus. This may make
> the remote host more vulnerable to the Logjam attack.
> Logjam attack difficulty : Hard (would require nation-state resources)
> SSL/TLS version : TLSv1.2
> Cipher suite : TLS1_CK_DHE_RSA_WITH_3DES_EDE_CBC_SHA
> Diffie-Hellman MODP size (bits) : 1024
> Warning - This is a known static Oakley Group2 modulus. This may make
> the remote host more vulnerable to the Logjam attack.
> Logjam attack difficulty : Hard (would require nation-state resources)
> SSL/TLS version : TLSv1.2
> Cipher suite : TLS1_CK_DHE_RSA_WITH_AES_128_CBC_SHA
> Diffie-Hellman MODP size (bits) : 1024
> Warning - This is a known static Oakley Group2 modulus. This may make
> the remote host more vulnerable to the Logjam attack.
> Logjam attack difficulty : Hard (would require nation-state resources)
> SSL/TLS version : TLSv1.1
> Cipher suite : TLS1_CK_DHE_RSA_WITH_3DES_EDE_CBC_SHA
> Diffie-Hellman MODP size (bits) : 1024
> Warning - This is a known static Oakley Group2 modulus. This may make
> the remote host more vulnerable to the Logjam attack.
> Logjam attack difficulty : Hard (would require nation-state resources)
> SSL/TLS version : TLSv1.1
> Cipher suite : TLS1_CK_DHE_RSA_WITH_AES_128_CBC_SHA
> Diffie-Hellman MODP size (bits) : 1024
> Warning - This is a known static Oakley Group2 modulus. This may make
> the remote host more vulnerable to the Logjam attack.
> Logjam attack difficulty : Hard (would require nation-state resources)
> SSL/TLS version : TLSv1.0
> Cipher suite : TLS1_CK_DHE_RSA_WITH_3DES_EDE_CBC_SHA
> Diffie-Hellman MODP size (bits) : 1024
> Warning - This is a known static Oakley Group2 modulus. This may make
> the remote host more vulnerable to the Logjam attack.
> Logjam attack difficulty : Hard (would require nation-state resources)
> SSL/TLS version : TLSv1.0
> Cipher suite : TLS1_CK_DHE_RSA_WITH_AES_128_CBC_SHA
> Diffie-Hellman MODP size (bits) : 1024
> Warning - This is a known static Oakley Group2 modulus. This may make
> the remote host more vulnerable to the Logjam attack.
> Logjam attack difficulty : Hard (would require nation-state resources)
> Here is the list of medium strength SSL ciphers supported by the remote
> server :
> Medium Strength Ciphers (> 64-bit and < 112-bit key, or 3DES)
> DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES-CBC(168) Mac=SHA1
> The fields above are :
> {OpenSSL ciphername}
> Kx={key exchange}
> Au={authentication}
> Enc={symmetric encryption method}
> Mac={message authentication code} {export flag}
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
