[SECURITY] Update default list of SSL/TLS cipher suites to address newer vulnerabilities #5725
Labels
Fix-Commited
Issue fixed and will be available in milestone
Internal-Issue-Created
An issue has been created in NextGen's internal issue tracker
RS-9794
Security
triaged
Milestone
Describe the security issue
WebInspect has detected support for weak TLS/SSL ciphers on the server https://mirth-connect-dast-lb-7e4ea2b6e1f30666.elb.us-west-2.amazonaws.com:8443/.
The Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols provide a mechanism to help protect authenticity, confidentiality and integrity of the data transmitted between a client and web server. The strength of this protection mechanism is determined by the authentication, encryption and hashing algorithms. These are collectively known as a cipher suite - chosen for the transmission of sensitive information over the TLS/SSL channel. Most web servers support a range of such cipher suites of varying strengths. Using a weak cipher or an encryption key of insufficient length, for example, could enable an attacker to defeat the protection mechanism and steal or modify sensitive information.
We have many SSL/TLS cipher suites that are showing up in our WebInspect DAST scans.
Vulnerability Location
If misconfigured, a web server could be manipulated into choosing weak cipher suites. Also, new versions of the TLS protocols are backward compatible and provide support for older ciphersuites defined in previous versions of the SSL/TLS protocols. For example, it is possible to configure TLS 1.2 to use older and weak ciphers that use RC4, MD5, SHA-1 and so on.
We recommend updating the web server configuration to remove weak ciphers and to always choose the strongest ciphers for encryption.
The text was updated successfully, but these errors were encountered: