You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@atlas.apache.org by "Shwetha G S (JIRA)" <ji...@apache.org> on 2016/02/18 09:12:18 UTC
[jira] [Updated] (ATLAS-349) SSL - Atlas SSL connection has
weak/unsafe Ciphers suites
[ https://issues.apache.org/jira/browse/ATLAS-349?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Shwetha G S updated ATLAS-349:
------------------------------
Attachment: ATLAS-349-v1.patch
Attaching the latest patch from reviewboard
> SSL - Atlas SSL connection has weak/unsafe Ciphers suites
> ---------------------------------------------------------
>
> Key: ATLAS-349
> URL: https://issues.apache.org/jira/browse/ATLAS-349
> Project: Atlas
> Issue Type: Bug
> Affects Versions: 0.6-incubating
> Reporter: Naima Djouhri
> Assignee: Naima Djouhri
> Fix For: trunk
>
> Attachments: ATLAS-349-V0.patch, ATLAS-349-v1.patch
>
>
> After establishing an Atlas SSL , I wanted to see the Cipher suites of the Atlas server.
> Run the following
> nmap –Pn –script ssl-cert, ssl-enum-ciphers –p 21443 localhost
> Got the following results
> ssl-enum-ciphers:
> TLSv1.0:
> ciphers:
> TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 1024) - E
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - C
> TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp160k1) - E
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp160k1) - C
> TLS_ECDHE_RSA_WITH_RC4_128_SHA (secp160k1) - C
> TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 512) - E
> TLS_RSA_WITH_AES_128_CBC_SHA (rsa 512) - C
> TLS_RSA_WITH_RC4_128_MD5 (rsa 512) - C
> TLS_RSA_WITH_RC4_128_SHA (rsa 512) - C
> compressors:
> NULL
> cipher preference: client
> warnings:
> Ciphersuite uses MD5 for message integrity
> Weak certificate signature: SHA1
> _ least strength: E
> AC Address: 00:00:00:41:47:4E (Xerox)
> map done: 1 IP address (1 host up) scanned in 8.75 seconds
> The unsafe ciphers need to be excluded
> Per jetty/Configuring/SSL/TLS documentation at the section Disabling/Enabling specific cipher suites
> http://www.eclipse.org/jetty/documentation/current/configuring-ssl.html
> ExcludeCipherSuites need to be set
> But since Atlas has an embedded jetty, this property need to be set to exclude the weak/unsafe cipher suites
> The Open Web Application Project (OWASP) has a nice recommendation tools for testing for weak SSL/TLS ciphers
> https://www.owasp.org/index.php/Testing_for_Weak_SSL/TLS_Ciphers,_Insufficient_Transport_Layer_Protection_%28OTG-CRYPST-001%29#Tools
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)