Request Suggestions Regarding SSL/TLS Issue with Nifi Server

Mon, 09 Jan 2023 09:57:14 -0800 


We are still getting security violations on our Nifi instance.  I have 
attempted to resolve this with the following entry (listed at the bottom of 
this email) in the configuration file but it doesn't seem to be enough.

Any suggestions on additional changes that are required to resolve this?

Thank you.

Rodney

Weak SSL/TLS Key Exchange
PROTOCOL         CIPHER NAME   GROUP KEY-SIZE             FORWARD-SECRET        
      CLASSICAL-STRENGTH    QUANTUM-STRENGTH
TLSv1.2 DHE-RSA-AES256-GCM-SHA384 DHE                    1024      yes        
80              low

QID Detection Logic:
<P> For a SSL enabled port, the scanner probes and maintains a list of 
supported SSL/TLS versions. For each supported version, the scanner does a SSL 
handshake to get a list of KEX methods supported by the server. It reports all 
KEX methods that are considered weak. The criteria of a weak KEX method is as 
follows:<BR>
The SSL/TLS server supports key exchanges that are cryptographically weaker 
than recommended. Key exchanges should provide at least 112 bits of security, 
which translates to a minimum key size of 2048 bits for Diffie Hellman and RSA 
key exchanges.

Change the SSL/TLS server configuration to only allow strong key exchanges. Key 
exchanges should provide at least 112 bits of security, which translates to a 
minimum key size of 2048 bits for Diffie Hellman and RSA key exchanges.

# Include or Exclude TLS Cipher Suites for HTTPS
#nifi.web.https.ciphersuites.include=
nifi.web.https.ciphersuites.include=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CCM,TLS_ECDHE_ECDSA_WITH_AES_256_CCM,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_CCM,TLS_DHE_RSA_WITH_AES_256_CCM,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_DHE_PSK_WITH_AES_128_GCM_SHA256,TLS_DHE_PSK_WITH_AES_256_GCM_SHA384
nifi.web.https.ciphersuites.exclude=




Your privacy and security are important to us. See our privacy policy (Canada 
https://www.capitalgroup.com/individual/ca/en/about/legal.html, Europe & Asia 
https://www.capitalgroup.com/content/sites/the-capital-group/entry-page/shared/privacy.html,
 United States https://www.capitalgroup.com/individual/privacy.html).






















					Reply via email to