Skip to content
This repository has been archived by the owner on Jan 24, 2023. It is now read-only.

Medium: Weak cipher suites were detected : Perfect Forward Secrecy is not supported #4959

Closed
2 of 9 tasks
manojtyagi2021 opened this issue Aug 2, 2021 · 2 comments
Closed
2 of 9 tasks

Medium: Weak cipher suites were detected : Perfect Forward Secrecy is not supported #4959

manojtyagi2021 opened this issue Aug 2, 2021 · 2 comments

Comments

@manojtyagi2021
Copy link

Stratos Version

4.4.0

Frontend Deployment type

  • Cloud Foundry Application (cf push)
  • Kubernetes, using a helm chart
  • Docker, single container deploying all components
  • npm run start
  • Other (please specify below)

Backend (Jet Stream) Deployment type

  • Cloud Foundry Application (cf push)
  • Kubernetes, using a helm chart
  • Docker, single container deploying all components
  • Other (please specify below)

Expected behaviour

AppScan DAST scan should not report Weak cipher suites were detected:Perfect Forward Secrecy is not supported vulnerability

Actual behaviour

AppScan DAST scan reports Weak cipher suites were detected :Perfect Forward Secrecy is not supported vulnerability

Steps to reproduce the behavior

AppScan DAST scans for Stratos URL https://ui.169.53.186.50.nip.io/api/v1/auth/verify.

The test result seems to indicate a vulnerability because AppScan determined that the site uses weak cipher suites by successfully creating SSL connections using each of the weak cipher suites listed here.

The following weak cipher suites are supported by the server:
Id Name SSL Version
47 TLS_RSA_WITH_AES_128_CBC_SHA TLS 1.2
53 TLS_RSA_WITH_AES_256_CBC_SHA TLS 1.2
60 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS 1.2
61 TLS_RSA_WITH_AES_256_CBC_SHA256 TLS 1.2
65 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA TLS 1.2
132 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA TLS 1.2
156 TLS_RSA_WITH_AES_128_GCM_SHA256 TLS 1.2
157 TLS_RSA_WITH_AES_256_GCM_SHA384 TLS 1.2
186 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 TLS 1.2
192 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 TLS 1.2
49232 TLS_RSA_WITH_ARIA_128_GCM_SHA256 TLS 1.2
49233 TLS_RSA_WITH_ARIA_256_GCM_SHA384 TLS 1.2
49308 TLS_RSA_WITH_AES_128_CCM TLS 1.2
49309 TLS_RSA_WITH_AES_256_CCM TLS 1.2
49312 TLS_RSA_WITH_AES_128_CCM_8 TLS 1.2
49313 TLS_RSA_WITH_AES_256_CCM_8 TLS 1.2

Log output covering before error and any error statements

Insert log hereCopy

Detailed Description

image

Context

Possible Implementation

Change server's supported ciphersuites
@richard-cox
Copy link
Contributor

@manojtyagi2021 What site??

Please be careful when creating issues using automated tools to first read what it produces and then apply some context.

@richard-cox
Copy link
Contributor

No response, closing.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@richard-cox @manojtyagi2021