Task #12573
Task #12556: Pentest - 2nd Assessment [2021]
Pentest_IBAM - TLS/SSL Server Supports The Use of Static Key Ciphers [LOW]
| Status: | Closed - End of life cycle | Start date: | November 08, 2021 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: |  Nurul Athira Abdul Rahim | % Done: | 100% | |
| Category: | Penetration Test Issue | Spent time: | - | |
| Target version: | - |
Description
The server is configured to support ciphers known as static key ciphers. These ciphers don't support "Forward Secrecy". In the new specification for HTTP/2, these ciphers have been blacklisted.
Solution provided by LGMS :
Configure the server to disable support for static key cipher suites.
The following recommended configuration provides a higher level of security. This configuration is compatible with Firefox 27, Chrome 22, IE 11, Opera 14 and Safari 7. SSLv2, SSLv3, and TLSv1 protocols are not recommended in this configuration. Instead, use TLSv1.2 protocol.
Refer to the server documentation to apply the recommended cipher configuration:
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
'TLSv1.2 Ciphers:
TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048)
TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048)
TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048)
TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048)
TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048)
TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048)
History
#1
Updated by Nurul Athira Abdul Rahim almost 3 years ago
- Status changed from New - Begin Life Cycle to System Integration Test
- Assignee changed from Chun Feng Lim to Nurul Athira Abdul Rahim
- % Done changed from 0 to 90
In WebSphere we had enforced tls1.2 and disable older tls versions.
#2
Updated by Nurul Athira Abdul Rahim over 2 years ago
- Status changed from System Integration Test to Development / Work In Progress
- Assignee changed from Nurul Athira Abdul Rahim to Najmi Pasarudin
Kindly review the fixes, as the new pentest (March,9,20202) result status stated "not solved".
#3
Updated by Najmi Pasarudin over 2 years ago
- Status changed from Development / Work In Progress to System Integration Test
- Assignee changed from Najmi Pasarudin to Nurul Athira Abdul Rahim
LGMS solution not possible based on CF comment.
CF:
Listed TLS were used by IBM WAS Application and default supported TLS encrption under strong cipher suite groups settings. Not recommened to be changed as it might affect communucations among webspheres
#4
Updated by Nurul Athira Abdul Rahim 7 months ago
- Status changed from System Integration Test to Closed - End of life cycle
- % Done changed from 90 to 100
Closed for this and refer new 2023/2024 pentest report