Mirth Connect
  1. Mirth Connect
  2. MIRTH-412

Disable weak SSL ciphers in Jetty server

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.1.0, 1.1.1, 1.2.0, 1.3.0, 1.3.1, 1.3.2, 1.4.0, 1.5.0, 1.6.0, 4.0
    • Fix Version/s: 1.7.0
    • Component/s: Server
    • Labels:
      None
    • Environment:
      Any Platform

      Description

      Weak ssl ciphers are supported by built in Jetty https server. Change to strong ciphers.

      Jetty howto: http://docs.codehaus.org/display/JETTY/SSL+Cipher+Suites

      Nessus output:
      Synopsis :

      The remote service supports the use of weak SSL ciphers.

      Description :

      The remote host supports the use of SSL ciphers that
      offer either weak encryption or no encryption at all.

      See also :

      http://www.openssl.org/docs/apps/ciphers.html

      Solution :

      Reconfigure the affected application if possible to avoid use of
      weak ciphers.

      Risk factor :

      Low / CVSS Base Score : 2
      (AV:R/AC:L/Au:NR/C/A:N/I:N/B:N)

      Plugin output :

      Here is a list of the SSL ciphers supported by the remote server :

      Low Strength Ciphers (< 56-bit key)
      SSLv3
      EXP-EDH-DSS-DES-CBC-SHA Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1 export
      TLSv1
      EXP-EDH-DSS-DES-CBC-SHA Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1 export

      Medium Strength Ciphers (>= 56-bit and < 112-bit key)
      SSLv3
      EDH-DSS-DES-CBC-SHA Kx=DH Au=DSS Enc=DES(56) Mac=SHA1
      TLSv1
      EDH-DSS-DES-CBC-SHA Kx=DH Au=DSS Enc=DES(56) Mac=SHA1

      High Strength Ciphers (>= 112-bit key)
      SSLv3
      EDH-DSS-DES-CBC3-SHA Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
      TLSv1
      EDH-DSS-DES-CBC3-SHA Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
      DHE-DSS-AES128-SHA Kx=DH Au=DSS Enc=AES(128) Mac=SHA1

      The fields above are :

      {OpenSSL ciphername}

      Kx=

      {key exchange}

      Au=

      {authentication}

      Enc=

      {symmetric encryption method}

      Mac=

      {message authentication code} {export flag}

      Nessus ID : 21643

        Issue Links

          Activity

          Hide
          Jacob Brauer added a comment -

          Added 'https.ciphers' in mirth.properties that allows adding or removing specific ciphers.
          Set used ciphers on the jetty ssl listener.

          Show
          Jacob Brauer added a comment - Added 'https.ciphers' in mirth.properties that allows adding or removing specific ciphers. Set used ciphers on the jetty ssl listener.
          Hide
          Gerald Bortis added a comment -

          This fix needs to be re-applied to 2.x since it was removed during the Jetty 7.x upgrade.

          Show
          Gerald Bortis added a comment - This fix needs to be re-applied to 2.x since it was removed during the Jetty 7.x upgrade.
          Hide
          John Newman added a comment -

          Hello, it looks like the "https.ciphers" property still has not been merged into 2.x or 3.x, it was done someetime around or before 1.8x but doesn't show in any more recent release.

          This line is present back here: https://svn.mirthcorp.com/connect/tags/1.8.2/server/conf/mirth.properties

          But still not here: https://svn.mirthcorp.com/connect/tags/3.0.0/server/conf/mirth.properties

          It looks like Gerald's comment was never really noticed. Is it possible to get this item reopened and the functionality merged in to the current branch? Or, is the server code in the current version actually written to use that line or a default, and we can just go ahead and add it to the properties file ourselves?

          We're getting results from a customer security scan about this, "SSL Server Supports Weak Encryption Vulnerability"

          Thanks!

          Show
          John Newman added a comment - Hello, it looks like the "https.ciphers" property still has not been merged into 2.x or 3.x, it was done someetime around or before 1.8x but doesn't show in any more recent release. This line is present back here: https://svn.mirthcorp.com/connect/tags/1.8.2/server/conf/mirth.properties But still not here: https://svn.mirthcorp.com/connect/tags/3.0.0/server/conf/mirth.properties It looks like Gerald's comment was never really noticed. Is it possible to get this item reopened and the functionality merged in to the current branch? Or, is the server code in the current version actually written to use that line or a default, and we can just go ahead and add it to the properties file ourselves? We're getting results from a customer security scan about this, "SSL Server Supports Weak Encryption Vulnerability" Thanks!
          Hide
          Jacob Brauer added a comment -

          This is now done in Mirth.java, see MIRTH-1924.

          Show
          Jacob Brauer added a comment - This is now done in Mirth.java, see MIRTH-1924 .

            People

            • Assignee:
              Gerald Bortis
              Reporter:
              stevier
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - 10 minutes
                10m
                Remaining:
                Remaining Estimate - 10 minutes
                10m
                Logged:
                Time Spent - Not Specified
                Not Specified

                  Development