You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@atlas.apache.org by "Shwetha G S (JIRA)" <ji...@apache.org> on 2016/02/18 09:12:18 UTC

[jira] [Updated] (ATLAS-349) SSL - Atlas SSL connection has weak/unsafe Ciphers suites

     [ https://issues.apache.org/jira/browse/ATLAS-349?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Shwetha G S updated ATLAS-349:
------------------------------
    Attachment: ATLAS-349-v1.patch

Attaching the latest patch from reviewboard

> SSL - Atlas SSL connection has weak/unsafe Ciphers suites
> ---------------------------------------------------------
>
>                 Key: ATLAS-349
>                 URL: https://issues.apache.org/jira/browse/ATLAS-349
>             Project: Atlas
>          Issue Type: Bug
>    Affects Versions: 0.6-incubating
>            Reporter: Naima Djouhri
>            Assignee: Naima Djouhri
>             Fix For: trunk
>
>         Attachments: ATLAS-349-V0.patch, ATLAS-349-v1.patch
>
>
> After establishing an Atlas SSL , I wanted to see the Cipher suites of the Atlas server.
> Run the following 
> nmap –Pn –script ssl-cert, ssl-enum-ciphers –p 21443 localhost
> Got the following results
> ssl-enum-ciphers:
>    TLSv1.0:
>      ciphers:
>        TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 1024) - E
>        TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - C
>        TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp160k1) - E
>        TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp160k1) - C
>        TLS_ECDHE_RSA_WITH_RC4_128_SHA (secp160k1) - C
>        TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 512) - E
>        TLS_RSA_WITH_AES_128_CBC_SHA (rsa 512) - C
>        TLS_RSA_WITH_RC4_128_MD5 (rsa 512) - C
>        TLS_RSA_WITH_RC4_128_SHA (rsa 512) - C
>      compressors:
>        NULL
>      cipher preference: client
>      warnings:
>        Ciphersuite uses MD5 for message integrity
>        Weak certificate signature: SHA1
> _  least strength: E
> AC Address: 00:00:00:41:47:4E (Xerox)
> map done: 1 IP address (1 host up) scanned in 8.75 seconds
> The unsafe ciphers need to be excluded 
> Per jetty/Configuring/SSL/TLS documentation at the section Disabling/Enabling specific cipher suites 
> http://www.eclipse.org/jetty/documentation/current/configuring-ssl.html
> ExcludeCipherSuites need to be set 
> But since Atlas has an embedded jetty, this property need to be set to exclude the weak/unsafe cipher suites
> The Open Web Application Project (OWASP) has a nice recommendation tools for testing for weak SSL/TLS ciphers 
> https://www.owasp.org/index.php/Testing_for_Weak_SSL/TLS_Ciphers,_Insufficient_Transport_Layer_Protection_%28OTG-CRYPST-001%29#Tools



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)