Service Virtualization

Hi Folks,

I am trying to restrict for tls to use only bank supported algorithms by updating below property in local.proeprties 

lisa.server.https.cipher.suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,\
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,\
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,\
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,\
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,\
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,\

How can i test the coorect one's are beign sued after the change ?

Also do i need to make any other changes except this . We are using open JDk supplied by devtest 

What version of DevTest are you running?

Hi Folks,

I am trying to restrict for tls to use only bank supported algorithms by updating below property in local.proeprties 

lisa.server.https.cipher.suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,\
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,\
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,\
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,\
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,\
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,\

How can i test the coorect one's are beign sued after the change ?

Also do i need to make any other changes except this . We are using open JDk supplied by devtest 

Hi Folks,

I am trying to restrict for tls to use only bank supported algorithms by updating below property in local.proeprties 

lisa.server.https.cipher.suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,\
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,\
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,\
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,\
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,\
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,\

How can i test the coorect one's are beign sued after the change ?

Also do i need to make any other changes except this . We are using open JDk supplied by devtest 

Hi Folks,

I am trying to restrict for tls to use only bank supported algorithms by updating below property in local.proeprties 

lisa.server.https.cipher.suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,\
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,\
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,\
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,\
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,\
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,\

How can i test the coorect one's are beign sued after the change ?

Also do i need to make any other changes except this . We are using open JDk supplied by devtest 

You can also refer to this link:

https://helpcenter.gsx.com/hc/en-us/articles/207831828-How-to-identify-the-Cipher-used-by-an-HTTPS-Connection

Hi Folks,

I am trying to restrict for tls to use only bank supported algorithms by updating below property in local.proeprties 

lisa.server.https.cipher.suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,\
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,\
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,\
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,\
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,\
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,\

How can i test the coorect one's are beign sued after the change ?

Also do i need to make any other changes except this . We are using open JDk supplied by devtest 

Thanks Marcy ! that works.

Do i need to have any other change as well in javasecurity file orsomewhere else because RSA key size should not be less than 2048 

We have done chnages at OS level but still keysize is 1024

Original Message:
Sent: Mar 01, 2023 01:53 PM
From: Marcy Nunns
Subject: How to validate which cipher suites are being used in TLS?

You can also refer to this link:

https://helpcenter.gsx.com/hc/en-us/articles/207831828-How-to-identify-the-Cipher-used-by-an-HTTPS-Connection

Original Message:
Sent: Mar 01, 2023 12:00 PM
From: Rahul Verma
Subject: How to validate which cipher suites are being used in TLS?

Hi Folks,

I am trying to restrict for tls to use only bank supported algorithms by updating below property in local.proeprties 

lisa.server.https.cipher.suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,\
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,\
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,\
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,\
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,\
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,\

How can i test the coorect one's are beign sued after the change ?

Also do i need to make any other changes except this . We are using open JDk supplied by devtest 

Thanks Marcy ! that works.

Do i need to have any other change as well in javasecurity file orsomewhere else because RSA key size should not be less than 2048 

We have done chnages at OS level but still keysize is 1024

You can also refer to this link:

https://helpcenter.gsx.com/hc/en-us/articles/207831828-How-to-identify-the-Cipher-used-by-an-HTTPS-Connection

Hi Folks,

I am trying to restrict for tls to use only bank supported algorithms by updating below property in local.proeprties 

lisa.server.https.cipher.suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,\
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,\
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,\
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,\
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,\
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,\

How can i test the coorect one's are beign sued after the change ?

Also do i need to make any other changes except this . We are using open JDk supplied by devtest 

Refer to this KB article: https://knowledge.broadcom.com/external/article?articleId=251607 

Thanks Marcy ! that works.

Do i need to have any other change as well in javasecurity file orsomewhere else because RSA key size should not be less than 2048 

We have done chnages at OS level but still keysize is 1024

You can also refer to this link:

https://helpcenter.gsx.com/hc/en-us/articles/207831828-How-to-identify-the-Cipher-used-by-an-HTTPS-Connection

Hi Folks,

I am trying to restrict for tls to use only bank supported algorithms by updating below property in local.proeprties 

lisa.server.https.cipher.suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,\
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,\
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,\
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,\
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,\
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,\

How can i test the coorect one's are beign sued after the change ?

Also do i need to make any other changes except this . We are using open JDk supplied by devtest 

Thanks marcy for sharing this .

Qualys Scan do the following and reports vulenrability 

QID Detection Logic:
 
For a SSL enabled port, the scanner probes and maintains a list of supported SSL/TLS versions. For each supported version, the scanner does a SSL handshake to get a list of KEX methods supported by the server. It reports all KEX methods that are considered weak and List all server supported ciphers for each weak key exchange method supported by Server.  
The criteria of a weak KEX method is as follows: 
The SSL/TLS server supports key exchanges that are cryptographically weaker than recommended. Key exchanges should provide at least 112 bits of security, which translates to a minimum key size of 2048 bits for Diffie Hellman and RSA key exchanges or 224 bits for Elliptic Curve Diffie Hellman key exchanges.

It reports below impacted algorithms on SSL ports for EDB,Registry etc

PROTOCOL    CIPHER    NAME    GROUP    KEY-SIZE    FORWARD-SECRET    CLASSICAL-STRENGTH    QUANTUM-STRENGTH
TLSv1.2    DHE-RSA-AES256-GCM-SHA384    DHE         1024    yes    80    low
TLSv1.2    DHE-RSA-AES128-GCM-SHA256    DHE         1024    yes    80    low
TLSv1.2    DHE-RSA-AES256-SHA256    DHE         1024    yes    80    low
TLSv1.2    DHE-RSA-AES128-SHA256    DHE         1024    yes    80    low

We have two server one hosts the IAM ,EDB and other Perf VSE,Registry,Portal 

I have made changes to server with VSE only but it still reports same vulnerability 

Do i need to restart all devtest servcies on both server ?

Refer to this KB article: https://knowledge.broadcom.com/external/article?articleId=251607 

Thanks Marcy ! that works.

Do i need to have any other change as well in javasecurity file orsomewhere else because RSA key size should not be less than 2048 

We have done chnages at OS level but still keysize is 1024

You can also refer to this link:

https://helpcenter.gsx.com/hc/en-us/articles/207831828-How-to-identify-the-Cipher-used-by-an-HTTPS-Connection

Hi Folks,

I am trying to restrict for tls to use only bank supported algorithms by updating below property in local.proeprties 

lisa.server.https.cipher.suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,\
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,\
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,\
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,\
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,\
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,\

How can i test the coorect one's are beign sued after the change ?

Also do i need to make any other changes except this . We are using open JDk supplied by devtest 

Yes, I would restart all services on both servers.

Thanks marcy for sharing this .

Qualys Scan do the following and reports vulenrability 

QID Detection Logic:
 
For a SSL enabled port, the scanner probes and maintains a list of supported SSL/TLS versions. For each supported version, the scanner does a SSL handshake to get a list of KEX methods supported by the server. It reports all KEX methods that are considered weak and List all server supported ciphers for each weak key exchange method supported by Server.  
The criteria of a weak KEX method is as follows: 
The SSL/TLS server supports key exchanges that are cryptographically weaker than recommended. Key exchanges should provide at least 112 bits of security, which translates to a minimum key size of 2048 bits for Diffie Hellman and RSA key exchanges or 224 bits for Elliptic Curve Diffie Hellman key exchanges.

It reports below impacted algorithms on SSL ports for EDB,Registry etc

PROTOCOL    CIPHER    NAME    GROUP    KEY-SIZE    FORWARD-SECRET    CLASSICAL-STRENGTH    QUANTUM-STRENGTH
TLSv1.2    DHE-RSA-AES256-GCM-SHA384    DHE         1024    yes    80    low
TLSv1.2    DHE-RSA-AES128-GCM-SHA256    DHE         1024    yes    80    low
TLSv1.2    DHE-RSA-AES256-SHA256    DHE         1024    yes    80    low
TLSv1.2    DHE-RSA-AES128-SHA256    DHE         1024    yes    80    low

We have two server one hosts the IAM ,EDB and other Perf VSE,Registry,Portal 

I have made changes to server with VSE only but it still reports same vulnerability 

Do i need to restart all devtest servcies on both server ?

Refer to this KB article: https://knowledge.broadcom.com/external/article?articleId=251607 

Thanks Marcy ! that works.

Do i need to have any other change as well in javasecurity file orsomewhere else because RSA key size should not be less than 2048 

We have done chnages at OS level but still keysize is 1024

You can also refer to this link:

https://helpcenter.gsx.com/hc/en-us/articles/207831828-How-to-identify-the-Cipher-used-by-an-HTTPS-Connection

Hi Folks,

I am trying to restrict for tls to use only bank supported algorithms by updating below property in local.proeprties 

lisa.server.https.cipher.suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,\
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,\
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,\
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,\
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,\
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,\

How can i test the coorect one's are beign sued after the change ?

Also do i need to make any other changes except this . We are using open JDk supplied by devtest 

Thanks Marcy.

This resolved my issue 

Yes, I would restart all services on both servers.

Thanks marcy for sharing this .

Qualys Scan do the following and reports vulenrability 

QID Detection Logic:
 
For a SSL enabled port, the scanner probes and maintains a list of supported SSL/TLS versions. For each supported version, the scanner does a SSL handshake to get a list of KEX methods supported by the server. It reports all KEX methods that are considered weak and List all server supported ciphers for each weak key exchange method supported by Server.  
The criteria of a weak KEX method is as follows: 
The SSL/TLS server supports key exchanges that are cryptographically weaker than recommended. Key exchanges should provide at least 112 bits of security, which translates to a minimum key size of 2048 bits for Diffie Hellman and RSA key exchanges or 224 bits for Elliptic Curve Diffie Hellman key exchanges.

It reports below impacted algorithms on SSL ports for EDB,Registry etc

PROTOCOL    CIPHER    NAME    GROUP    KEY-SIZE    FORWARD-SECRET    CLASSICAL-STRENGTH    QUANTUM-STRENGTH
TLSv1.2    DHE-RSA-AES256-GCM-SHA384    DHE         1024    yes    80    low
TLSv1.2    DHE-RSA-AES128-GCM-SHA256    DHE         1024    yes    80    low
TLSv1.2    DHE-RSA-AES256-SHA256    DHE         1024    yes    80    low
TLSv1.2    DHE-RSA-AES128-SHA256    DHE         1024    yes    80    low

We have two server one hosts the IAM ,EDB and other Perf VSE,Registry,Portal 

I have made changes to server with VSE only but it still reports same vulnerability 

Do i need to restart all devtest servcies on both server ?

Refer to this KB article: https://knowledge.broadcom.com/external/article?articleId=251607 

Thanks Marcy ! that works.

Do i need to have any other change as well in javasecurity file orsomewhere else because RSA key size should not be less than 2048 

We have done chnages at OS level but still keysize is 1024

You can also refer to this link:

https://helpcenter.gsx.com/hc/en-us/articles/207831828-How-to-identify-the-Cipher-used-by-an-HTTPS-Connection

Hi Folks,

I am trying to restrict for tls to use only bank supported algorithms by updating below property in local.proeprties 

lisa.server.https.cipher.suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,\
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,\
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,\
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,\
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,\
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,\

How can i test the coorect one's are beign sued after the change ?

Also do i need to make any other changes except this . We are using open JDk supplied by devtest