[MIRTH-412] Disable weak SSL ciphers in Jetty server Created: 13/Jul/07
Updated:
24/Oct/13 Resolved: 15/Aug/11
Status:
Project:
Component/s:
Affects
Version/s:
Fix Version/s:
Closed
Mirth Connect
Server
1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.1.0, 1.1.1, 1.2.0, 1.3.0, 1.3.1, 1.3.2, 1.4.0, 1.5.0,
1.6.0, 4.0
1.7.0
Type:
Reporter:
Resolution:
Labels:
Remaining
Estimate:
Time Spent:
Original
Estimate:
Environment:
Improvement
stevier
Fixed
None
10 minutes
Issue Links:
Cloners
is cloned by MIRTH-1924 Disable weak SSL ciphers in Jetty server Closed
Priority:
Assignee:
Votes:
Minor
Gerald Bortis
0
Not Specified
10 minutes
Any Platform
Description
Weak ssl ciphers are supported by built in Jetty https server. Change to strong ciphers.
Jetty howto: http://docs.codehaus.org/display/JETTY/SSL+Cipher+Suites
Nessus output:
Synopsis :
The remote service supports the use of weak SSL ciphers.
Description :
The remote host supports the use of SSL ciphers that
offer either weak encryption or no encryption at all.
See also :
http://www.openssl.org/docs/apps/ciphers.html
Solution :
Reconfigure the affected application if possible to avoid use of
weak ciphers.
Risk factor :
Low / CVSS Base Score : 2
(AV:R/AC:L/Au:NR/C /A:N/I:N/B:N)
Plugin output :
Here is a list of the SSL ciphers supported by the remote server :
Low Strength Ciphers (< 56-bit key)
SSLv3
EXP-EDH-DSS-DES-CBC-SHA Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1 export
TLSv1
EXP-EDH-DSS-DES-CBC-SHA Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1 export
Medium Strength Ciphers (>= 56-bit and < 112-bit key)
SSLv3
EDH-DSS-DES-CBC-SHA Kx=DH Au=DSS Enc=DES(56) Mac=SHA1
TLSv1
EDH-DSS-DES-CBC-SHA Kx=DH Au=DSS Enc=DES(56) Mac=SHA1
High Strength Ciphers (>= 112-bit key)
SSLv3
EDH-DSS-DES-CBC3-SHA Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
TLSv1
EDH-DSS-DES-CBC3-SHA Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
DHE-DSS-AES128-SHA Kx=DH Au=DSS Enc=AES(128) Mac=SHA1
The fields above are :
{OpenSSL ciphername}
Kx=
{key exchange}
Au=
{authentication}
Enc=
{symmetric encryption method}
Mac=
{message authentication code} {export flag}
Nessus ID : 21643
Comments
Comment by Jacob Brauer [ 12/Nov/07 ]
Added 'https.ciphers' in mirth.properties that allows adding or removing specific ciphers.
Set used ciphers on the jetty ssl listener.
Comment by Gerald Bortis [ 10/Aug/11 ]
This fix needs to be re-applied to 2.x since it was removed during the Jetty 7.x upgrade.
Comment by John Newman [ 24/Oct/13 ]
Hello, it looks like the "https.ciphers" property still has not been merged into 2.x or 3.x, it was
done someetime around or before 1.8x but doesn't show in any more recent release.
This line is present back here:
https://svn.mirthcorp.com/connect/tags/1.8.2/server/conf/mirth.properties
But still not here: https://svn.mirthcorp.com/connect/tags/3.0.0/server/conf/mirth.properties
It looks like Gerald's comment was never really noticed. Is it possible to get this item reopened
and the functionality merged in to the current branch? Or, is the server code in the current
version actually written to use that line or a default, and we can just go ahead and add it to the
properties file ourselves?
We're getting results from a customer security scan about this, "SSL Server Supports Weak
Encryption Vulnerability"
Thanks!
Comment by Jacob Brauer [ 24/Oct/13 ]
This is now done in Mirth.java, see .
Generated at Tue Feb 09 21:28:26 PST 2016 using JIRA 6.2.7#6265sha1:91604a8de81892a3e362e0afee505432f29579b0.