Return-Path: X-Original-To: apmail-atlas-dev-archive@minotaur.apache.org Delivered-To: apmail-atlas-dev-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 417B7187D6 for ; Thu, 17 Dec 2015 15:34:58 +0000 (UTC) Received: (qmail 87534 invoked by uid 500); 17 Dec 2015 15:34:58 -0000 Delivered-To: apmail-atlas-dev-archive@atlas.apache.org Received: (qmail 87493 invoked by uid 500); 17 Dec 2015 15:34:58 -0000 Mailing-List: contact dev-help@atlas.incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@atlas.incubator.apache.org Delivered-To: mailing list dev@atlas.incubator.apache.org Received: (qmail 87482 invoked by uid 99); 17 Dec 2015 15:34:58 -0000 Received: from Unknown (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 17 Dec 2015 15:34:58 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id 8D6DA1A11E5 for ; Thu, 17 Dec 2015 15:34:57 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 0.447 X-Spam-Level: X-Spam-Status: No, score=0.447 tagged_above=-999 required=6.31 tests=[KAM_LAZY_DOMAIN_SECURITY=1, RP_MATCHES_RCVD=-0.554, URIBL_BLOCKED=0.001] autolearn=disabled Received: from mx1-us-east.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id aXF3Wf53kD0a for ; Thu, 17 Dec 2015 15:34:47 +0000 (UTC) Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx1-us-east.apache.org (ASF Mail Server at mx1-us-east.apache.org) with SMTP id 85DDE42B12 for ; Thu, 17 Dec 2015 15:34:47 +0000 (UTC) Received: (qmail 87105 invoked by uid 99); 17 Dec 2015 15:34:46 -0000 Received: from arcas.apache.org (HELO arcas) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 17 Dec 2015 15:34:46 +0000 Received: from arcas.apache.org (localhost [127.0.0.1]) by arcas (Postfix) with ESMTP id 9ABEA2C0AFA for ; Thu, 17 Dec 2015 15:34:46 +0000 (UTC) Date: Thu, 17 Dec 2015 15:34:46 +0000 (UTC) From: "Naima Djouhri (JIRA)" To: dev@atlas.incubator.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Assigned] (ATLAS-349) SSL - Atlas SSL connection has weak/unsafe Ciphers suites MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/ATLAS-349?page=3Dcom.atlassian= .jira.plugin.system.issuetabpanels:all-tabpanel ] Naima Djouhri reassigned ATLAS-349: ----------------------------------- Assignee: Naima Djouhri > SSL - Atlas SSL connection has weak/unsafe Ciphers suites > --------------------------------------------------------- > > Key: ATLAS-349 > URL: https://issues.apache.org/jira/browse/ATLAS-349 > Project: Atlas > Issue Type: Bug > Affects Versions: 0.6-incubating > Reporter: Naima Djouhri > Assignee: Naima Djouhri > > After establishing an Atlas SSL , I wanted to see the Cipher suites of th= e Atlas server. > Run the following=20 > nmap =E2=80=93Pn =E2=80=93script ssl-cert, ssl-enum-ciphers =E2=80=93p 21= 443 localhost > Got the following results > ssl-enum-ciphers: > TLSv1.0: > ciphers: > TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 1024) - E > TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - C > TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp160k1) - E > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp160k1) - C > TLS_ECDHE_RSA_WITH_RC4_128_SHA (secp160k1) - C > TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 512) - E > TLS_RSA_WITH_AES_128_CBC_SHA (rsa 512) - C > TLS_RSA_WITH_RC4_128_MD5 (rsa 512) - C > TLS_RSA_WITH_RC4_128_SHA (rsa 512) - C > compressors: > NULL > cipher preference: client > warnings: > Ciphersuite uses MD5 for message integrity > Weak certificate signature: SHA1 > _ least strength: E > AC Address: 00:00:00:41:47:4E (Xerox) > map done: 1 IP address (1 host up) scanned in 8.75 seconds > The unsafe ciphers need to be excluded=20 > Per jetty/Configuring/SSL/TLS documentation at the section Disabling/Enab= ling specific cipher suites=20 > http://www.eclipse.org/jetty/documentation/current/configuring-ssl.html > ExcludeCipherSuites need to be set=20 > But since Atlas has an embedded jetty, this property need to be set to ex= clude the weak/unsafe cipher suites > The Open Web Application Project (OWASP) has a nice recommendation tools = for testing for weak SSL/TLS ciphers=20 > https://www.owasp.org/index.php/Testing_for_Weak_SSL/TLS_Ciphers,_Insuffi= cient_Transport_Layer_Protection_%28OTG-CRYPST-001%29#Tools -- This message was sent by Atlassian JIRA (v6.3.4#6332)