web stats

Mirth Connect

Disable weak SSL ciphers in Jetty server

Details

  • Type: Improvement Improvement
  • Status: Closed Closed
  • Priority: Minor Minor
  • Resolution: Fixed
  • Affects Version/s: 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.1.0, 1.1.1, 1.2.0, 1.3.0, 1.3.1, 1.3.2, 1.4.0, 1.5.0, 1.6.0, 4.0
  • Fix Version/s: 1.7.0
  • Component/s: Server
  • Labels:
    None
  • Environment:
    Any Platform

Description

Weak ssl ciphers are supported by built in Jetty https server. Change to strong ciphers.

Jetty howto: http://docs.codehaus.org/display/JETTY/SSL+Cipher+Suites


Nessus output:
Synopsis :

The remote service supports the use of weak SSL ciphers.

Description :

The remote host supports the use of SSL ciphers that
offer either weak encryption or no encryption at all.

See also :

http://www.openssl.org/docs/apps/ciphers.html

Solution :

Reconfigure the affected application if possible to avoid use of
weak ciphers.

Risk factor :

Low / CVSS Base Score : 2
(AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N)

Plugin output :

Here is a list of the SSL ciphers supported by the remote server :

Low Strength Ciphers (< 56-bit key)
SSLv3
EXP-EDH-DSS-DES-CBC-SHA Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1 export
TLSv1
EXP-EDH-DSS-DES-CBC-SHA Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1 export

Medium Strength Ciphers (>= 56-bit and < 112-bit key)
SSLv3
EDH-DSS-DES-CBC-SHA Kx=DH Au=DSS Enc=DES(56) Mac=SHA1
TLSv1
EDH-DSS-DES-CBC-SHA Kx=DH Au=DSS Enc=DES(56) Mac=SHA1

High Strength Ciphers (>= 112-bit key)
SSLv3
EDH-DSS-DES-CBC3-SHA Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
TLSv1
EDH-DSS-DES-CBC3-SHA Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
DHE-DSS-AES128-SHA Kx=DH Au=DSS Enc=AES(128) Mac=SHA1

The fields above are :

{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}


Nessus ID : 21643

Issue Links

Activity

Hide
Jacob Brauer added a comment -
Added 'https.ciphers' in mirth.properties that allows adding or removing specific ciphers.
Set used ciphers on the jetty ssl listener.
Show
Jacob Brauer added a comment - Added 'https.ciphers' in mirth.properties that allows adding or removing specific ciphers. Set used ciphers on the jetty ssl listener.
Hide
Gerald Bortis added a comment -
This fix needs to be re-applied to 2.x since it was removed during the Jetty 7.x upgrade.
Show
Gerald Bortis added a comment - This fix needs to be re-applied to 2.x since it was removed during the Jetty 7.x upgrade.

People

Vote (0)
Watch (0)

Dates

  • Created:
    Updated:
    Resolved:

Time Tracking

Estimated:
10m
Original Estimate - 10 minutes
Remaining:
10m
Remaining Estimate - 10 minutes
Logged:
Not Specified
Time Spent - Not Specified