DX Unified Infrastructure Management

 View Only
  • 1.  CA UMP - TLS 1.2 - AEAD Cipher Suites

    Posted Mar 30, 2018 12:15 PM

    Hey Guys,


    Recently, our internal auditing team dinged us on the cipher suites that are being used for our UMP.  The report that they run is a Qualys SSL Labs report.  The audit hit we are receiving is a grade of 'B' for cipher strength.  The reason for the 'B', is:


          Penalty for not using AEAD suites (B)

          Your site should use secure cipher suites. AEAD is the only encryption approach without any known weaknesses.       The alternative, CBC encryption, is susceptible to timing attacks (as implemented in TLS). AEAD suites provide       strong authentication, key exchange, forward secrecy, and encryption of at least 128 bits. TLS 1.3 supports only       AEAD suites. SSL Labs doesn’t currently reward the use of AEAD suites. In this grading criteria update we will start       requiring AEAD suites for A.


          Grade will be capped to B, if AEAD suites are not supported. As with forward secrecy, we will not penalize sites if       they continue to use non-AEAD suites provided AEAD suites are negotiated with clients that support them.


    Last night I attempted a number of AEAD compliant variations, but none would produce the wanted results.  The issue's I ran into when testing connection, after restarting the wasp probe, was either:


          -Could not access the ump due to a cipher mismatch

          -Could access the ump but the Qualys report was worse off - Grad of 'F', instead of 'B'


    So my question is, has anyone ran into a similar issue and have you successfully hardened the server?  If so, any advice or pointers would be appreciated.


    Additional info:

    CA UMP ver 8.47

    Support case has been opened as well



    Chris A.

  • 2.  Re: CA UMP - TLS 1.2 - AEAD Cipher Suites

    Broadcom Employee
    Posted Apr 16, 2018 09:46 AM

  • 3.  Re: CA UMP - TLS 1.2 - AEAD Cipher Suites

    Posted Apr 16, 2018 10:07 AM

    Hi Marco,


    At this time there is no resolution for this issue.  The case was closed because we ran out of options.   We've tested extensively in our lab and have not yet determined a combination of ciphers that will satisfy the AEAD cipher suite standards.


    Perhaps CA developers or support (or whichever team would perform the testing) could spend some time in the lab determining the needed combination of ciphers that we should implement in to the wasp.cfg file.


    My next step is to reach out to my Account Manager to see if they have any info regarding this matter.



    Chris A.