Details
-
Type:
Bug
-
Status: Resolved (View Workflow)
-
Priority:
Minor
-
Resolution: Fixed
-
Affects Version/s: Meridian-2018.1.26, Meridian-2019.1.17, Meridian-2020.1.6, 27.1.0
-
Fix Version/s: Next
-
Component/s: Web UI - General
-
Security Level: Default (Default Security Scheme)
-
Labels:
-
Sprint:Horizon 2021 - Mar 31 - Apr 14
Description
The commented-out "Enable HTTPS Support" block of OpenNMS' current default jetty.xml file leaves two whole classes of vulnerable cipher suites enabled:
- Suites using cipher block chaining (CBC) mode
- Suites using Diffie-Hellman ephemeral key exchange (DHE) in the absence of elliptic curve keys (in which case DHE is considered safe and is termed ECDHE)
We should update this file to exclude all CBC and DHE cipher suites by default. Newer versions of Jetty already exclude by default all the weak ciphers that we currently disable by name, so these exclusions should be reworked as a regex-based <Call> to addExcludeProtocols rather than the current <Set> (which overrides the default exclusions entirely).
Also, we should expose the Jetty setting that enables the end-user to disable client-initiated TLS renegotiation if desired, since its availability creates a potential denial-of-service attack against the server. Such attacks seem to be considered rare, so leaving the feature enabled (which is the Jetty default) feels reasonable.