Rodney, Thanks for raising the question and providing the details of the current cipher suites included in nifi.properties.
Are you using Java 8, or a newer version? The version of Java can impact supported cipher suites. The Diffie Hellman key size is indirectly related to the cipher suites specified, but the cipher suite itself does not specify a particular DH key size. Changing the minimum DH key size requires customizing the Java Security settings, and disallowing smaller key sizes. This can impact compatibility with older clients, but if it is a security requirement and the client impact is understood, updating the java.security policy should work. The following article provides a helpful example of the necessary adjustments to java.security: https://www.ibm.com/support/pages/how-disable-ssltls-diffie-hellman-keys-less-2048-bits It is worth noting that the article recommends disabling TLS_DHE cipher suites due to the computational overhead of larger DH key sizes when using those particular options. Regards, David Handermann On Mon, Jan 9, 2023 at 11:57 AM Rodney Ziebol <[email protected]> wrote: > We are still getting security violations on our Nifi instance. I have > attempted to resolve this with the following entry (listed at the bottom of > this email) in the configuration file but it doesn’t seem to be enough. > > > > Any suggestions on additional changes that are required to resolve this? > > > > Thank you. > > > Rodney > > > > Weak SSL/TLS Key Exchange > > PROTOCOL CIPHER NAME GROUP KEY-SIZE > FORWARD-SECRET CLASSICAL-STRENGTH QUANTUM-STRENGTH > > TLSv1.2 DHE-RSA-AES256-GCM-SHA384 DHE 1024 > yes 80 low > > > > QID Detection Logic: > > <P> For a SSL enabled port, the scanner probes and maintains a list of > supported SSL/TLS versions. For each supported version, the scanner does a > SSL handshake to get a list of KEX methods supported by the server. It > reports all KEX methods that are considered weak. The criteria of a weak > KEX method is as follows:<BR> > > The SSL/TLS server supports key exchanges that are cryptographically > weaker than recommended. Key exchanges should provide at least 112 bits of > security, which translates to a minimum key size of 2048 bits for Diffie > Hellman and RSA key exchanges. > > > > Change the SSL/TLS server configuration to only allow strong key > exchanges. Key exchanges should provide at least 112 bits of security, > which translates to a minimum key size of 2048 bits for Diffie Hellman and > RSA key exchanges. > > > > # Include or Exclude TLS Cipher Suites for HTTPS > > #nifi.web.https.ciphersuites.include= > > > nifi.web.https.ciphersuites.include=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CCM,TLS_ECDHE_ECDSA_WITH_AES_256_CCM,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_CCM,TLS_DHE_RSA_WITH_AES_256_CCM,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_DHE_PSK_WITH_AES_128_GCM_SHA256,TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 > > nifi.web.https.ciphersuites.exclude= > > > > > > > > > > Your privacy and security are important to us. See our privacy policy ( > Canada <https://www.capitalgroup.com/individual/ca/en/about/legal.html>, > Europe > & Asia > <https://www.capitalgroup.com/content/sites/the-capital-group/entry-page/shared/privacy.html>, > United States <https://www.capitalgroup.com/individual/privacy.html>). >
