Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Disabling cipher suites or protocols

Matthias
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
January 18, 2023

We are running Fisheye 4.6.1 and I try to disable weak ciper suites.

My config.xml has the following section :

<web-server site-url="https://crucible.xxxxxxxx.dom">
<http bind="0.0.0.0:8060" proxy-port="443" proxy-scheme="https" proxy-host="crucible.xxxxxxxxx.dom"/>
<ssl bind=":6443" keystore="/srv/crucible/keystoreneu.kst" keystore-password="xxxxxxxxxxx" truststore="/srv/crucible/keystoreneu.kst" truststore-password="xxxxxxxxx">
<excludeProtocols>
<protocol>SSLv3</protocol>
<protocol>TLSv1</protocol>
<protocol>TLSv1.1</protocol>
</excludeProtocols>
<excludeCipherSuites>
<cipherSuite>TLS_RSA_WITH_3DES_EDE_CBC_SHA</cipherSuite>
<cipherSuite>TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA</cipherSuite>
<cipherSuite>TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA</cipherSuite>
</excludeCipherSuites>
<proxy-info proxy-host="crucible.xxxxxxxx.dom" proxy-port="443" proxy-scheme="https"/>
</ssl>

</web-server>

A sslscan shows this :

sslscan localhost:6443
Version: 2.0.10
OpenSSL 1.1.1l 24 Aug 2021 SUSE release 150400.7.16.1

Connected to ::1

Testing SSL server localhost on port 6443 using SNI name localhost

SSL/TLS Protocols:
SSLv2 disabled
SSLv3 disabled
TLSv1.0 disabled
TLSv1.1 disabled
TLSv1.2 enabled
TLSv1.3 disabled

TLS Fallback SCSV:
Server supports TLS Fallback SCSV

TLS renegotiation:
Session renegotiation not supported

TLS Compression:
Compression disabled

Heartbleed:
TLSv1.2 not vulnerable to heartbleed

Supported Server Cipher(s):
Preferred TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve P-256 DHE 256
Accepted TLSv1.2 128 bits DHE-RSA-AES128-GCM-SHA256 DHE 1024 bits
Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA256 Curve P-256 DHE 256
Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA256 DHE 1024 bits
Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256
Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA DHE 1024 bits
Accepted TLSv1.2 128 bits AES128-GCM-SHA256
Accepted TLSv1.2 128 bits AES128-SHA256
Accepted TLSv1.2 128 bits AES128-SHA
Accepted TLSv1.2 112 bits TLS_RSA_WITH_3DES_EDE_CBC_SHA
Accepted TLSv1.2 112 bits TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA

 

So not all excluded cipher suites work.

Kind regards

Matthias

 

0 answers

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events