Mirth Connect

Disable weak SSL ciphers in Jetty server

Details

  • Type: Improvement Improvement
  • Status: Closed Closed
  • Priority: Minor Minor
  • Resolution: Fixed
  • Affects Version/s: 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.1.0, 1.1.1, 1.2.0, 1.3.0, 1.3.1, 1.3.2, 1.4.0, 1.5.0, 1.6.0, 4.0
  • Fix Version/s: 1.7.0
  • Component/s: Server
  • Labels:
    None
  • Environment:
    Any Platform

Description

Weak ssl ciphers are supported by built in Jetty https server. Change to strong ciphers.

Jetty howto: http://docs.codehaus.org/display/JETTY/SSL+Cipher+Suites

Nessus output:
Synopsis :

The remote service supports the use of weak SSL ciphers.

Description :

The remote host supports the use of SSL ciphers that
offer either weak encryption or no encryption at all.

See also :

http://www.openssl.org/docs/apps/ciphers.html

Solution :

Reconfigure the affected application if possible to avoid use of
weak ciphers.

Risk factor :

Low / CVSS Base Score : 2
(AV:R/AC:L/Au:NR/C/A:N/I:N/B:N)

Plugin output :

Here is a list of the SSL ciphers supported by the remote server :

Low Strength Ciphers (< 56-bit key)
SSLv3
EXP-EDH-DSS-DES-CBC-SHA Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1 export
TLSv1
EXP-EDH-DSS-DES-CBC-SHA Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1 export

Medium Strength Ciphers (>= 56-bit and < 112-bit key)
SSLv3
EDH-DSS-DES-CBC-SHA Kx=DH Au=DSS Enc=DES(56) Mac=SHA1
TLSv1
EDH-DSS-DES-CBC-SHA Kx=DH Au=DSS Enc=DES(56) Mac=SHA1

High Strength Ciphers (>= 112-bit key)
SSLv3
EDH-DSS-DES-CBC3-SHA Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
TLSv1
EDH-DSS-DES-CBC3-SHA Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
DHE-DSS-AES128-SHA Kx=DH Au=DSS Enc=AES(128) Mac=SHA1

The fields above are :

{OpenSSL ciphername}

Kx=

{key exchange}

Au=

{authentication}

Enc=

{symmetric encryption method}

Mac=

{message authentication code} {export flag}

Nessus ID : 21643

Issue Links

clones

Improvement - An improvement or enhancement to an existing feature or task. MIRTH-1924 Disable weak SSL ciphers in Jetty server

  • Minor - Minor loss of function, or other problem where easy workaround is present.
  • Closed - The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Jacob Brauer added a comment -

Added 'https.ciphers' in mirth.properties that allows adding or removing specific ciphers.
Set used ciphers on the jetty ssl listener.

Show
Jacob Brauer added a comment - Added 'https.ciphers' in mirth.properties that allows adding or removing specific ciphers. Set used ciphers on the jetty ssl listener.
Hide
Permalink
Gerald Bortis added a comment -

This fix needs to be re-applied to 2.x since it was removed during the Jetty 7.x upgrade.

Show
Gerald Bortis added a comment - This fix needs to be re-applied to 2.x since it was removed during the Jetty 7.x upgrade.

People

  • Assignee:
    Gerald Bortis
    Reporter:
    stevier
Vote (0)
Watch (0)

Dates

  • Created:
    Updated:
    Resolved:

Time Tracking

Estimated:
10m
Original Estimate - 10 minutes
Remaining:
10m
Remaining Estimate - 10 minutes
Logged:
Not Specified
Time Spent - Not Specified