forum.opsi.org

There was a vulnerability finding in our app server - 'Weak' cipher suites accepted by this service via the TLSv1.0 protocol. Any suggestion to address it? Thank you.

Hi

some more context would help to understand your problem

Before we promote a server into production it undergo vulnerability assessment (VA). There was a finding saying that "'Weak' cipher suites accepted by this service via the TLSv1.0 protocol". I think because OPSI still supports TLS1.0. Can we disable it?How? Thank you.

Hi,

I did have a look into the docs of pyopenssl and for our case this seems not to hard to implement.

My idea is to introduce another option into the config of opsiconfd that will allow you to set a string of accepted ciphers. Would that work for you?
Also: would you be willing to test this?

As for the support of TLSv1.0 this may get changed with 4.1 but I am strongly against changing this in the 4.0 series because this may lead to clients unable to connect to the service if they are running very old version.


Kind regards

Niko

Hi Niko. Thanks so much. I can try once available available.

Hi,

rmtevesjr hat geschrieben:Hi Niko. Thanks so much. I can try once available available.

Please install opsiconfd from experimental on a testserver of yours.
This should also update python-opsi.

I recommend disabling that repository again after installing that two packages!

Now you can add something like this to the service section of your opsiconfd.conf: Please note that this is an example and you probably want to configure it different based on current recommendations!
For more information about the ciphers consult the openssl manpage.

Then please restart your opsiconfd. And check if it works as expected.


Kind regards

Niko

Hi,

rmtevesjr hat geschrieben:Hi Niko. Thanks so much. I can try once available available.

did you find time yet to test?


Kind regards

Niko

Hi Niko, sorry we haven't tried it. Something went wrong with our server. Will let you know. Thanks a lot