[#MIRTH-412] Disable weak SSL ciphers in Jetty server - Mirth Project

Details

Type: Improvement
Status: Resolved
Priority: Minor
Resolution: Fixed
Affects Version/s: 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.1.0, 1.1.1, 1.2.0, 1.3.0, 1.3.1, 1.3.2, 1.4.0, 1.5.0, 1.6.0, 2.2.0
Fix Version/s: 1.7.0
Component/s: Server

Description:

Hide
Weak ssl ciphers are supported by built in Jetty https server. Change to strong ciphers.

Jetty howto: http://docs.codehaus.org/display/JETTY/SSL+Cipher+Suites

Nessus output:
Synopsis :

The remote service supports the use of weak SSL ciphers.

Description :

The remote host supports the use of SSL ciphers that
offer either weak encryption or no encryption at all.

See also :

http://www.openssl.org/docs/apps/ciphers.html

Solution :

Reconfigure the affected application if possible to avoid use of
weak ciphers.

Risk factor :

Low / CVSS Base Score : 2
(AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N)

Plugin output :

Here is a list of the SSL ciphers supported by the remote server :

Low Strength Ciphers (< 56-bit key)
SSLv3
EXP-EDH-DSS-DES-CBC-SHA Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1 export
TLSv1
EXP-EDH-DSS-DES-CBC-SHA Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1 export

Medium Strength Ciphers (>= 56-bit and < 112-bit key)
SSLv3
EDH-DSS-DES-CBC-SHA Kx=DH Au=DSS Enc=DES(56) Mac=SHA1
TLSv1
EDH-DSS-DES-CBC-SHA Kx=DH Au=DSS Enc=DES(56) Mac=SHA1

High Strength Ciphers (>= 112-bit key)
SSLv3
EDH-DSS-DES-CBC3-SHA Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
TLSv1
EDH-DSS-DES-CBC3-SHA Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
DHE-DSS-AES128-SHA Kx=DH Au=DSS Enc=AES(128) Mac=SHA1

The fields above are :

{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}

Nessus ID : 21643

Show
Weak ssl ciphers are supported by built in Jetty https server. Change to strong ciphers. Jetty howto: http://docs.codehaus.org/display/JETTY/SSL+Cipher+Suites Nessus output: Synopsis : The remote service supports the use of weak SSL ciphers. Description : The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all. See also : http://www.openssl.org/docs/apps/ciphers.html Solution : Reconfigure the affected application if possible to avoid use of weak ciphers. Risk factor : Low / CVSS Base Score : 2 (AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N) Plugin output : Here is a list of the SSL ciphers supported by the remote server : Low Strength Ciphers (< 56-bit key) SSLv3 EXP-EDH-DSS-DES-CBC-SHA Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1 export TLSv1 EXP-EDH-DSS-DES-CBC-SHA Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1 export Medium Strength Ciphers (>= 56-bit and < 112-bit key) SSLv3 EDH-DSS-DES-CBC-SHA Kx=DH Au=DSS Enc=DES(56) Mac=SHA1 TLSv1 EDH-DSS-DES-CBC-SHA Kx=DH Au=DSS Enc=DES(56) Mac=SHA1 High Strength Ciphers (>= 112-bit key) SSLv3 EDH-DSS-DES-CBC3-SHA Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1 TLSv1 EDH-DSS-DES-CBC3-SHA Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1 DHE-DSS-AES128-SHA Kx=DH Au=DSS Enc=AES(128) Mac=SHA1 The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag} Nessus ID : 21643

Environment:

Any Platform

Activity

Ascending order - Click to sort in descending order

Hide

Permalink

Jacob Brauer added a comment - 12/Nov/07 12:19 PM

Added 'https.ciphers' in mirth.properties that allows adding or removing specific ciphers.
Set used ciphers on the jetty ssl listener.

Show

Jacob Brauer added a comment - 12/Nov/07 12:19 PM Added 'https.ciphers' in mirth.properties that allows adding or removing specific ciphers. Set used ciphers on the jetty ssl listener.

People

Assignee:

Jacob Brauer

Reporter:

steve ruiz
Votes:

0

Watchers:

0

Dates

Created:

13/Jul/07 11:18 AM

Updated:

22/Dec/09 2:56 PM

Resolved:

12/Nov/07 12:19 PM

Time Tracking

Estimated:

10m

Remaining:

10m

Logged:

Not Specified

Mirth Connect

Disable weak SSL ciphers in Jetty server

Details

Activity

People

Dates

Time Tracking