[Solved]'Weak' cipher suites accepted by this service via the TLSv1.0 protocol

rmtevesjr · Beitrag von **rmtevesjr** » 27 Dez 2016, 07:32

There was a vulnerability finding in our app server - 'Weak' cipher suites accepted by this service via the TLSv1.0 protocol. Any suggestion to address it? Thank you.

Beitrag von **m.radtke** » 27 Dez 2016, 15:09

Hi

some more context would help to understand your problem

rmtevesjr · Beitrag von **rmtevesjr** » 31 Dez 2016, 14:17

Before we promote a server into production it undergo vulnerability assessment (VA). There was a finding saying that "'Weak' cipher suites accepted by this service via the TLSv1.0 protocol". I think because OPSI still supports TLS1.0. Can we disable it?How? Thank you.

n.wenselowski · Beitrag von **n.wenselowski** » 03 Jan 2017, 10:33

Hi,

I did have a look into the docs of pyopenssl and for our case this seems not to hard to implement.

My idea is to introduce another option into the config of opsiconfd that will allow you to set a string of accepted ciphers. Would that work for you?
Also: would you be willing to test this?

As for the support of TLSv1.0 this may get changed with 4.1 but I am strongly against changing this in the 4.0 series because this may lead to clients unable to connect to the service if they are running very old version.

Kind regards

Niko

rmtevesjr · Beitrag von **rmtevesjr** » 10 Jan 2017, 14:26

Hi Niko. Thanks so much. I can try once available available.

n.wenselowski · Beitrag von **n.wenselowski** » 11 Jan 2017, 15:35

Hi,

rmtevesjr hat geschrieben:Hi Niko. Thanks so much. I can try once available available.

Please install opsiconfd from experimental on a testserver of yours.
This should also update python-opsi.

I recommend disabling that repository again after installing that two packages!

Now you can add something like this to the service section of your opsiconfd.conf:

Code: Alles auswählen

accepted ciphers = TLSv1+HIGH:!SSLv2:RC4+MEDIUM:!aNULL:!eNULL:!3DES:@STRENGTH

Please note that this is an example and you probably want to configure it different based on current recommendations!
For more information about the ciphers consult the openssl manpage.

Then please restart your opsiconfd. And check if it works as expected.

Kind regards

Niko

n.wenselowski · Beitrag von **n.wenselowski** » 23 Jan 2017, 11:39

Hi,

rmtevesjr hat geschrieben:Hi Niko. Thanks so much. I can try once available available.

did you find time yet to test?

Kind regards

Niko

rmtevesjr · Beitrag von **rmtevesjr** » 23 Jan 2017, 12:31

Hi Niko, sorry we haven't tried it. Something went wrong with our server. Will let you know. Thanks a lot

forum.opsi.org

[Solved]'Weak' cipher suites accepted by this service via the TLSv1.0 protocol

[Solved]'Weak' cipher suites accepted by this service via the TLSv1.0 protocol

Re: 'Weak' cipher suites accepted by this service via the TLSv1.0 protocol

Re: 'Weak' cipher suites accepted by this service via the TLSv1.0 protocol

Re: 'Weak' cipher suites accepted by this service via the TLSv1.0 protocol

Re: 'Weak' cipher suites accepted by this service via the TLSv1.0 protocol

Re: 'Weak' cipher suites accepted by this service via the TLSv1.0 protocol

Re: 'Weak' cipher suites accepted by this service via the TLSv1.0 protocol

Re: 'Weak' cipher suites accepted by this service via the TLSv1.0 protocol