Uploaded image for project: 'OpenNMS'
  1. OpenNMS
  2. NMS-7812

Some weak cipher suites allowed in example jetty.xml HTTPS config

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: Meridian-2015.1.0, 16.0.2
    • Fix Version/s: 16.0.3, Meridian-2015.1.1
    • Component/s: Web UI - General
    • Security Level: Default (Default Security Scheme)
    • Labels:
      None
    • Environment:
      Any system where the jetty.xml file has been copied from {{OPENNMS_HOME/etc/examples}} into {{OPENNMS_HOME/etc}} and the HTTPS section uncommented

      Description

      A PCI-DSS audit scan found two weak DH cipher suites are allowed in this configuration which permit ephemeral keys smaller than 1024 bits.

      Adding the following items to the list of excluded cipher suites addresses the problem:

      TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
      TLS_DHE_RSA_WITH_AES_128_CBC_SHA

      Support ticket: https://mynms.opennms.com/Ticket/Display.html?id=3931

        Attachments

          Activity

            People

            • Assignee:
              seth Seth Leger
              Reporter:
              jeffg Jeff Gehlbach
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: