Release Automation

Expand all | Collapse all

SSL configuration on Ra repository server still giving obsolete cipher issue.

  • 1.  SSL configuration on Ra repository server still giving obsolete cipher issue.

    Posted Dec 04, 2018 02:14 AM

    Hello Team ,

     

    After SSL configuration on RA repository server following steps from below :

     

    Configuring SSL for RA repository server - CA Knowledge 

     

    Still gives following vulnerability issue :

    Connection - obsolete connection settings
    The connection to this site uses TLS 1.2 (a strong protocol), ECDHE_RSA with P-256 (a strong key exchange), and AES_128_CBC with HMAC-SHA1 (an obsolete cipher).
    Could you please suggest what can be done in order to resolve the issue ?


  • 2.  Re: SSL configuration on Ra repository server still giving obsolete cipher issue.
    Best Answer

    Broadcom Employee
    Posted Dec 25, 2018 09:24 PM

    Found your support case, so I'd like to share the solution.

     

    Added cipher list to conf/server.xml, and then the vulnerability was resolved.

    <Connector .... port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" .... >
    ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
    TLS_RSA_WITH_AES_128_CBC_SHA256,
    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
    TLS_RSA_WITH_AES_256_CBC_SHA256,
    TLS_RSA_WITH_AES_256_GCM_SHA384,
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384">
    </Connector>

     

    However, this configuration is not certified officially. Venkat also said that "I highly recommend that you validate these latest/strong ciphers in test environment before you move to PROD and take backup of server.xml before making any change to it. "

     

    Thanks

    Yas