Recently, our internal auditing team dinged us on the cipher suites that are being used for our UMP. The report that they run is a Qualys SSL Labs report. The audit hit we are receiving is a grade of 'B' for cipher strength. The reason for the 'B', is:
Penalty for not using AEAD suites (B)
Your site should use secure cipher suites. AEAD is the only encryption approach without any known weaknesses. The alternative, CBC encryption, is susceptible to timing attacks (as implemented in TLS). AEAD suites provide strong authentication, key exchange, forward secrecy, and encryption of at least 128 bits. TLS 1.3 supports only AEAD suites. SSL Labs doesn’t currently reward the use of AEAD suites. In this grading criteria update we will start requiring AEAD suites for A.
Grade will be capped to B, if AEAD suites are not supported. As with forward secrecy, we will not penalize sites if they continue to use non-AEAD suites provided AEAD suites are negotiated with clients that support them.
Last night I attempted a number of AEAD compliant variations, but none would produce the wanted results. The issue's I ran into when testing connection, after restarting the wasp probe, was either:
-Could not access the ump due to a cipher mismatch
-Could access the ump but the Qualys report was worse off - Grad of 'F', instead of 'B'
So my question is, has anyone ran into a similar issue and have you successfully hardened the server? If so, any advice or pointers would be appreciated.
CA UMP ver 8.47
Support case has been opened as well
Resolution from support case:
-> Change the HTTPS Ciphers https://docops.ca.com/ca-unified-infrastructure-management/8-47/en/installing-ca-uim/optional-post-installation-tasks/configure-https-in-admin-console-or-ump#ConfigureHTTPSinAdminConsoleorUMP-(Optional)ChangetheHTTPSCiphers
-> How to disable weak SSL or TLS protocol and weak ciphers in UMP ( KB article, TEC1362802) https://www.ca.com/us/services-support/ca-support/ca-support-online/knowledge-base-articles.TEC1362802.html
At this time there is no resolution for this issue. The case was closed because we ran out of options. We've tested extensively in our lab and have not yet determined a combination of ciphers that will satisfy the AEAD cipher suite standards.
Perhaps CA developers or support (or whichever team would perform the testing) could spend some time in the lab determining the needed combination of ciphers that we should implement in to the wasp.cfg file.
My next step is to reach out to my Account Manager to see if they have any info regarding this matter.