Uploaded image for project: 'OpenNMS'
  1. OpenNMS
  2. NMS-13227

Change Jetty default settings to exclude vulnerable cipher suites, expose client-initiated renegotiation

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: Meridian-2018.1.26, Meridian-2019.1.17, Meridian-2020.1.6, 27.1.0
    • Fix Version/s: 28.0.0
    • Component/s: Web UI - General
    • Security Level: Default (Default Security Scheme)
    • Labels:
    • Sprint:
      Horizon 2021 - Mar 31 - Apr 14

      Description

      The commented-out "Enable HTTPS Support" block of OpenNMS' current default jetty.xml file leaves two whole classes of vulnerable cipher suites enabled:

      • Suites using cipher block chaining (CBC) mode
      • Suites using Diffie-Hellman ephemeral key exchange (DHE) in the absence of elliptic curve keys (in which case DHE is considered safe and is termed ECDHE)

      We should update this file to exclude all CBC and DHE cipher suites by default. Newer versions of Jetty already exclude by default all the weak ciphers that we currently disable by name, so these exclusions should be reworked as a regex-based <Call> to addExcludeProtocols rather than the current <Set> (which overrides the default exclusions entirely).

      Also, we should expose the Jetty setting that enables the end-user to disable client-initiated TLS renegotiation if desired, since its availability creates a potential denial-of-service attack against the server. Such attacks seem to be considered rare, so leaving the feature enabled (which is the Jetty default) feels reasonable.

        Attachments

          Activity

            People

            Assignee:
            jeffg Jeff Gehlbach
            Reporter:
            jeffg Jeff Gehlbach
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Git Integration