0

Currently on our windows server (Windows 2016 R2) , we have following cipher suites installed:-

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256

Still the following security vulnerabilities are reported for our server as

  1. TLS/SSL Birthday attacks on 64-bit block ciphers (SWEET32)
  2. TLS/SSL Server Supports 3DES Cipher Suite <-- However there are no 3DES ciphers as listed above
  3. TLS/SSL Server Supports The Use of Static Key Ciphers

I am using tomcat 9.0.62. How can I fix these security vulnerabilities.

anonymous
  • 21
  • 7
  • This question is really best asked on the [security](https://security.stackexchange.com/) stackexchange site. – President James K. Polk Jul 10 '22 at 18:45
  • If by "installed" you mean the registry settings, those only apply to the WIndows provider schannel. Tomcat does not use schannel; either it uses the Java implementation JSSE (Java Secure Socket Extension) or via APR (Apache Portable Runtime, aka Tomcat native aka tcnative) it uses OpenSSL. In either case the SSL/TLS configuration for Tomcat is mainly in Tomcat configuration in server.xml, although JSSE can also be affected by JVM configuration (and code) and OpenSSL possibly by OpenSSL configuration depending on the build. But this not a programming or development issue. – dave_thompson_085 Jul 10 '22 at 20:43
  • Yes in registry Cipher suites are specified. I mentioned about tomcat because we have certain applications which are deployed on tomcat. So I am not sure if some apps are implicitly using some weaker cipher suites. How can I check which cipher is being used by which application? our vulnerability scanner keeps on reporting these vulnerabilities – anonymous Jul 11 '22 at 03:09
  • I am using tomcat 9.0.62 now, can you help me how can I configure ciphers suites in server.xml – anonymous Jul 11 '22 at 05:15
  • https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support . Are you _only_ using Tomcat or also IIS or anything that goes through http.sys? The latter would use the schannel settings. Note item 3 'static key cipher(suite)s' _does_ apply to 'plain-RSA' ciphersuites (in TLS1.2 and lower). – dave_thompson_085 Jul 11 '22 at 06:47

0 Answers0