Some weak cipher suites allowed in example jetty.xml HTTPS config
Description
Environment
Any system where the jetty.xml file has been copied from {{OPENNMS_HOME/etc/examples}} into {{OPENNMS_HOME/etc}} and the HTTPS section uncommented
Acceptance / Success Criteria
None
Attachments
2
Lucidchart Diagrams
Activity
Show:
Ronny Trommer April 1, 2016 at 8:20 PMEdited
seems to be fixed, can we delete this branch?
Seth Leger August 19, 2015 at 12:31 PM
Fixed by adding TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA to the excluded cipher list. The other AES_128 cipher was already in the list in the develop branch.
commit 943040279e03e15b5f7a33120fae85ccbc25a6c8
Fixed
Details
Assignee
Seth LegerSeth LegerReporter
Jeff GehlbachJeff GehlbachComponents
Fix versions
Affects versions
Priority
Major
Details
Details
Assignee
Seth LegerReporter
Jeff GehlbachComponents
Fix versions
Affects versions
Priority
MajorPagerDuty
PagerDuty Incident
PagerDuty
PagerDuty Incident
PagerDuty
PagerDuty Incident
Created July 17, 2015 at 9:51 AM
Updated April 1, 2016 at 8:21 PM
Resolved August 19, 2015 at 12:31 PM
A PCI-DSS audit scan found two weak DH cipher suites are allowed in this configuration which permit ephemeral keys smaller than 1024 bits.
Adding the following items to the list of excluded cipher suites addresses the problem:
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHATLS_DHE_RSA_WITH_AES_128_CBC_SHASupport ticket: https://mynms.opennms.com/Ticket/Display.html?id=3931