[Solved]'Weak' cipher suites accepted by this service via the TLSv1.0 protocol
[Solved]'Weak' cipher suites accepted by this service via the TLSv1.0 protocol
There was a vulnerability finding in our app server - 'Weak' cipher suites accepted by this service via the TLSv1.0 protocol. Any suggestion to address it? Thank you.
Zuletzt geändert von rmtevesjr am 22 Feb 2017, 05:21, insgesamt 1-mal geändert.
Re: 'Weak' cipher suites accepted by this service via the TLSv1.0 protocol
Hi
some more context would help to understand your problem
some more context would help to understand your problem
Kein Support per DM!
_________________________
opsi support - http://www.uib.de/
For productive opsi installations we recommend support contracts.
_________________________
opsi support - http://www.uib.de/
For productive opsi installations we recommend support contracts.
Re: 'Weak' cipher suites accepted by this service via the TLSv1.0 protocol
Before we promote a server into production it undergo vulnerability assessment (VA). There was a finding saying that "'Weak' cipher suites accepted by this service via the TLSv1.0 protocol". I think because OPSI still supports TLS1.0. Can we disable it?How? Thank you.
- n.wenselowski
- Ex-uib-Team
- Beiträge: 3194
- Registriert: 04 Apr 2013, 12:15
Re: 'Weak' cipher suites accepted by this service via the TLSv1.0 protocol
Hi,
I did have a look into the docs of pyopenssl and for our case this seems not to hard to implement.
My idea is to introduce another option into the config of opsiconfd that will allow you to set a string of accepted ciphers. Would that work for you?
Also: would you be willing to test this?
As for the support of TLSv1.0 this may get changed with 4.1 but I am strongly against changing this in the 4.0 series because this may lead to clients unable to connect to the service if they are running very old version.
Kind regards
Niko
I did have a look into the docs of pyopenssl and for our case this seems not to hard to implement.
My idea is to introduce another option into the config of opsiconfd that will allow you to set a string of accepted ciphers. Would that work for you?
Also: would you be willing to test this?
As for the support of TLSv1.0 this may get changed with 4.1 but I am strongly against changing this in the 4.0 series because this may lead to clients unable to connect to the service if they are running very old version.
Kind regards
Niko
Code: Alles auswählen
import OPSI
Re: 'Weak' cipher suites accepted by this service via the TLSv1.0 protocol
Hi Niko. Thanks so much. I can try once available available.
- n.wenselowski
- Ex-uib-Team
- Beiträge: 3194
- Registriert: 04 Apr 2013, 12:15
Re: 'Weak' cipher suites accepted by this service via the TLSv1.0 protocol
Hi,
This should also update python-opsi.
I recommend disabling that repository again after installing that two packages!
Now you can add something like this to the service section of your opsiconfd.conf:
Please note that this is an example and you probably want to configure it different based on current recommendations!
For more information about the ciphers consult the openssl manpage.
Then please restart your opsiconfd. And check if it works as expected.
Kind regards
Niko
Please install opsiconfd from experimental on a testserver of yours.rmtevesjr hat geschrieben:Hi Niko. Thanks so much. I can try once available available.
This should also update python-opsi.
I recommend disabling that repository again after installing that two packages!
Now you can add something like this to the service section of your opsiconfd.conf:
Code: Alles auswählen
accepted ciphers = TLSv1+HIGH:!SSLv2:RC4+MEDIUM:!aNULL:!eNULL:!3DES:@STRENGTH
For more information about the ciphers consult the openssl manpage.
Then please restart your opsiconfd. And check if it works as expected.
Kind regards
Niko
Code: Alles auswählen
import OPSI
- n.wenselowski
- Ex-uib-Team
- Beiträge: 3194
- Registriert: 04 Apr 2013, 12:15
Re: 'Weak' cipher suites accepted by this service via the TLSv1.0 protocol
Hi,
Kind regards
Niko
did you find time yet to test?rmtevesjr hat geschrieben:Hi Niko. Thanks so much. I can try once available available.
Kind regards
Niko
Code: Alles auswählen
import OPSI
Re: 'Weak' cipher suites accepted by this service via the TLSv1.0 protocol
Hi Niko, sorry we haven't tried it. Something went wrong with our server. Will let you know. Thanks a lot