- The remote host uses weak cipher encryption for communication.
- Where SWEET32 is also called 3DES / Birthday attack.
To verify use below command: If the OpenSSL is connected to the host at SSL port & we received the response with the certificate then it's having weak cipher suites.
- openssl s_client -connect Hostname:443 -cipher ""DES:3DES"" -tls1_2
- openssl s_client -connect Hostname:443 -cipher ""DES:3DES"" -tls1_1
- openssl s_client -connect Hostname:443 -cipher ""DES:3DES"" -tls1
- We need to remove below high-lighted mark for weak ciphers & check the application for the same VA point on the instance.
File Name: $TOMCAT_HOME/conf/server.xml
**************************************************
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" acceptorThreadCount="2" maxConnections="-1"
SSLEnabled="true" scheme="https" secure="true"
clientAuth="want" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" keystoreType="jks" keystoreFile="/app/apache-tomcat-7.0.81/cert/serverkeystore.jks" keystorePass="Password@123" truststoreFile="/app/apache-tomcat-7.0.81/cert/truststore.jks" truststorePass="Password@123" ciphers="TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256"/>
**************************************************
Thanks 😊
No comments:
Post a Comment