Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Some weak cipher suites allowed in example jetty.xml HTTPS config

Description

A PCI-DSS audit scan found two weak DH cipher suites are allowed in this configuration which permit ephemeral keys smaller than 1024 bits.

Adding the following items to the list of excluded cipher suites addresses the problem:

TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA

Support ticket: https://mynms.opennms.com/Ticket/Display.html?id=3931

Environment

Any system where the jetty.xml file has been copied from {{OPENNMS_HOME/etc/examples}} into {{OPENNMS_HOME/etc}} and the HTTPS section uncommented

Acceptance / Success Criteria

None

Lucidchart Diagrams

Activity

Show:

Ronny Trommer April 1, 2016 at 8:20 PM
Edited

Seth Leger August 19, 2015 at 12:31 PM

Fixed by adding TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA to the excluded cipher list. The other AES_128 cipher was already in the list in the develop branch.

commit 943040279e03e15b5f7a33120fae85ccbc25a6c8

Fixed

Details

Assignee

Reporter

Components

Fix versions

Affects versions

Priority

PagerDuty

Created July 17, 2015 at 9:51 AM
Updated April 1, 2016 at 8:21 PM
Resolved August 19, 2015 at 12:31 PM