Absent Member.. Absent Member..
Absent Member..
1137 views

How to disable weak cipher suites?

Hi guys, I'd like to know how to disable some cipher suites that are considered as weak in terms of security. For example, I'd like to disable the ciphers TLS_RSA_WITH_RC4_128_MD5 and TLS_RSA_WITH_RC4_128_SHA.  We are using the HP ALM Quality Center 12 with the default web serser (if I'm not wrong it's Jetty 7.5.4).

 

Just as information, I was able to disable the SSLv2 and SSLv3 protocols adding the following code inside the jetty-ssl.xml:

<Set name="ExcludeProtocols">

   <Array type="java.lang.String">

      <Item>SSLv2Hello</Item>

      <Item>SSLv3</Item>

   </Array>

</Set>

 

But the following code does not work:

<Set name="ExcludeCipherSuites">

   <Array type="java.lang.String">

      <Item>TLS_RSA_WITH_RC4_128_MD5</Item>

      <Item>TLS_RSA_WITH_RC4_128_SHA</Item>

   </Array>

</Set>

 

I tried adding this "ExcludeCipherSuites" but these ciphers are still available after the web server restart. 

 

Thanks for any help!

0 Likes
4 Replies
Absent Member.. Absent Member..
Absent Member..

Follow the content of the jetty-ssl.xml file:

 

<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure.dtd">

<!-- =============================================================== -->
<!-- Configure SSL for the Jetty Server -->
<!-- this configuration file should be used in combination with -->
<!-- other configuration files. e.g. -->
<!-- java -jar start.jar conf/jetty-ssl.xml -->
<!-- -->
<!-- alternately, add to the start.ini for easier usage -->
<!-- =============================================================== -->
<Configure id="Server" class="org.eclipse.jetty.server.Server">

<!-- if NIO is not available, use org.eclipse.jetty.server.ssl.SslSocketConnector -->
<New id="sslContextFactory" class="org.eclipse.jetty.http.ssl.SslContextFactory">
<Set name="KeyStore"><Property name="jetty.home" default="." />/conf/keystore</Set>
<Set name="KeyStorePassword">***</Set>
<Set name="KeyManagerPassword">***</Set>
<Set name="TrustStore"><Property name="jetty.home" default="." />/conf/truststore</Set>
<Set name="TrustStorePassword">***</Set>
<Set name="ExcludeProtocols"><Array type="java.lang.String"><Item>SSLv2Hello</Item><Item>SSLv3</Item></Array></Set>
</New>

<Call name="addConnector">
<Arg>
<New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
<Arg><Ref id="sslContextFactory" /></Arg>
<Set name="Port">443</Set>
<Set name="maxIdleTime">30000</Set>
<Set name="Acceptors">2</Set>
<Set name="AcceptQueueSize">100</Set>
</New>
</Arg>
</Call>
</Configure>

0 Likes
Absent Member.
Absent Member.

Hello Maucasal,

 

Jetty configuration and setup will need to use Jetty documentation, documents that we as ALM support do not have.

 

The cipher suites used by Jetty SSL are provided by the JVM: http://java.sun.com/javase/6/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider.

 

However i make a research on this case and found the following:

 

If a vulnerability is discovered in a cipher, or if it is considered too weak to use, you can exclude it during Jetty startup. You need to make the following changes to the jetty.xml configuration file. Jetty performs the exclude operation after the include operation. Therefore, If a cipher suite is both included and excluded as part of the same configuration, it is disabled.

<Call name="addConnector">

<Arg>

   <New class="org.mortbay.jetty.security.SslSocketConnector">

     <Set name="Port">8443</Set>

     <Set name="maxIdleTime">30000</Set>

     ...

     <Set name="ExcludeCipherSuites">

       <Array type="java.lang.String">

         <Item>SSL_RSA_WITH_3DES_EDE_CBC_SHA</Item>

         <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>

         <Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>

       </Array>

     </Set>

   </New>

</Arg>

</Call>

 

You can find additional information on this links:

http://www.papercut.com/kb/Main/SSLCipherConfiguration

http://fastpicket.com/blog/2012/08/27/disabling-insecure-cipher-suites-in-jetty/

 

Please let me know if the above information is useful for you.

Regard!

Diego.

0 Likes
Admiral
Admiral

HI,

 

Pls refer the below KB for more details.

 

https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetsearch/document/KM01250751?lang=en&cc=us&hpappid=OSP

 

Cheers

 

Cheers
-------------
When your problem has been solved, accept the solution by clicking the "Accept as Solution" button to help other members in the future!

Clicking the "Kudos star" is a great way to say thanks! 🙂
--------------
0 Likes
Absent Member.. Absent Member..
Absent Member..

Hi Schall, thanks for the information. I think the Word document that is attached in your link is the most precise information that I have seen so far about this subject.

 

Unfortunately the Jetty information that is provided there didn't work. I'm using the HP Quality Center 12.00. I tried excluding the ciphers using the entire ciphers name, and also using the wildcards, it didn't work. The only thing that I could accomplish so far was disabling the SSLv2 and SSLv3 protocols. They were enabled initially.

 

The example that is provided in the Word document is exactly what I'm trying to achieve. I'd like to disable the ciphers: RC4, MD5, NULL, and so on.

 

Attempt #1:

 

<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure.dtd">

<!-- =============================================================== -->
<!-- Configure SSL for the Jetty Server -->
<!-- this configuration file should be used in combination with -->
<!-- other configuration files. e.g. -->
<!-- java -jar start.jar conf/jetty-ssl.xml -->
<!-- -->
<!-- alternately, add to the start.ini for easier usage -->
<!-- =============================================================== -->
<Configure id="Server" class="org.eclipse.jetty.server.Server">

<!-- if NIO is not available, use org.eclipse.jetty.server.ssl.SslSocketConnector -->

<New id="sslContextFactory" class="org.eclipse.jetty.http.ssl.SslContextFactory">
<Set name="KeyStore"><Property name="jetty.home" default="." />/conf/keystore</Set>
<Set name="KeyStorePassword">OBF:***</Set>
<Set name="KeyManagerPassword">OBF:***</Set>
<Set name="TrustStore"><Property name="jetty.home" default="." />/conf/truststore</Set>
<Set name="TrustStorePassword">OBF:***</Set>
<Set name="ExcludeProtocols"><Array type="java.lang.String"><Item>SSLv2Hello</Item><Item>SSLv3</Item></Array></Set>
<Set name="ExcludeCipherSuites">
<Array type="java.lang.String">
<Item>.*RC4.*</Item>
<Item>.*MD5.*</Item>
<Item>.*3DES.*</Item>
<Item>.*ADH.*</Item>
<Item>.*NULL.*</Item>
</Array>
</Set>
</New>

<Call name="addConnector">
<Arg>
<New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
<Arg><Ref id="sslContextFactory" /></Arg>
<Set name="Port">443</Set>
<Set name="maxIdleTime">30000</Set>
<Set name="Acceptors">2</Set>
<Set name="AcceptQueueSize">100</Set>
</New>
</Arg>
</Call>
</Configure>

 

Attempt #2:

 

<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure.dtd">

<!-- =============================================================== -->
<!-- Configure SSL for the Jetty Server -->
<!-- this configuration file should be used in combination with -->
<!-- other configuration files. e.g. -->
<!-- java -jar start.jar conf/jetty-ssl.xml -->
<!-- -->
<!-- alternately, add to the start.ini for easier usage -->
<!-- =============================================================== -->
<Configure id="Server" class="org.eclipse.jetty.server.Server">

<!-- if NIO is not available, use org.eclipse.jetty.server.ssl.SslSocketConnector -->

<New id="sslContextFactory" class="org.eclipse.jetty.http.ssl.SslContextFactory">
<Set name="KeyStore"><Property name="jetty.home" default="." />/conf/keystore</Set>
<Set name="KeyStorePassword">OBF:***</Set>
<Set name="KeyManagerPassword">OBF:***</Set>
<Set name="TrustStore"><Property name="jetty.home" default="." />/conf/truststore</Set>
<Set name="TrustStorePassword">OBF:***</Set>
<Set name="ExcludeProtocols"><Array type="java.lang.String"><Item>SSLv2Hello</Item><Item>SSLv3</Item></Array></Set>
<Set name="ExcludeCipherSuites">
<Array type="java.lang.String">
<Item>TLS_RSA_WITH_RC4_128_MD5</Item>
<Item>TLS_RSA_WITH_RC4_128_SHA</Item>
<Item>TLS_ECDHE_RSA_WITH_RC4_128_SHA</Item>
</Array>
</Set>
</New>

<Call name="addConnector">
<Arg>
<New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
<Arg><Ref id="sslContextFactory" /></Arg>
<Set name="Port">443</Set>
<Set name="maxIdleTime">30000</Set>
<Set name="Acceptors">2</Set>
<Set name="AcceptQueueSize">100</Set>
</New>
</Arg>
</Call>
</Configure>

 

Please take a look to the attached picture. This vulnerability report is what I'm trying to fix. Also, I'd like to avoid using proxies to fix these vulnerabilities.

 

Thanks for the help!

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.