atlas-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Naima Djouhri (JIRA)" <j...@apache.org>
Subject [jira] [Assigned] (ATLAS-349) SSL - Atlas SSL connection has weak/unsafe Ciphers suites
Date Thu, 17 Dec 2015 15:34:46 GMT

     [ https://issues.apache.org/jira/browse/ATLAS-349?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Naima Djouhri reassigned ATLAS-349:
-----------------------------------

    Assignee: Naima Djouhri

> SSL - Atlas SSL connection has weak/unsafe Ciphers suites
> ---------------------------------------------------------
>
>                 Key: ATLAS-349
>                 URL: https://issues.apache.org/jira/browse/ATLAS-349
>             Project: Atlas
>          Issue Type: Bug
>    Affects Versions: 0.6-incubating
>            Reporter: Naima Djouhri
>            Assignee: Naima Djouhri
>
> After establishing an Atlas SSL , I wanted to see the Cipher suites of the Atlas server.
> Run the following 
> nmap –Pn –script ssl-cert, ssl-enum-ciphers –p 21443 localhost
> Got the following results
> ssl-enum-ciphers:
>    TLSv1.0:
>      ciphers:
>        TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 1024) - E
>        TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - C
>        TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp160k1) - E
>        TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp160k1) - C
>        TLS_ECDHE_RSA_WITH_RC4_128_SHA (secp160k1) - C
>        TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 512) - E
>        TLS_RSA_WITH_AES_128_CBC_SHA (rsa 512) - C
>        TLS_RSA_WITH_RC4_128_MD5 (rsa 512) - C
>        TLS_RSA_WITH_RC4_128_SHA (rsa 512) - C
>      compressors:
>        NULL
>      cipher preference: client
>      warnings:
>        Ciphersuite uses MD5 for message integrity
>        Weak certificate signature: SHA1
> _  least strength: E
> AC Address: 00:00:00:41:47:4E (Xerox)
> map done: 1 IP address (1 host up) scanned in 8.75 seconds
> The unsafe ciphers need to be excluded 
> Per jetty/Configuring/SSL/TLS documentation at the section Disabling/Enabling specific
cipher suites 
> http://www.eclipse.org/jetty/documentation/current/configuring-ssl.html
> ExcludeCipherSuites need to be set 
> But since Atlas has an embedded jetty, this property need to be set to exclude the weak/unsafe
cipher suites
> The Open Web Application Project (OWASP) has a nice recommendation tools for testing
for weak SSL/TLS ciphers 
> https://www.owasp.org/index.php/Testing_for_Weak_SSL/TLS_Ciphers,_Insufficient_Transport_Layer_Protection_%28OTG-CRYPST-001%29#Tools



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message