vKeywords: key 1024 SSL TLS 1024 2048 DH KEY
TIBCO Spotfire Node Manager by default uses cipher suites utilising weak DH keys (<2048 bits).
This is true as of version 11.4.7 LTS. This article explains how to disable these so that only 2048 bit keys are used.
The issue may become apparent when running a security scan on a node manager on port 9443 to test for poor cryptographic standards. The Spotfire server does not suffer from the same issue.
The risk can me mitigated by following these steps:
1) The following must be done on both node manager and Spotfire Server. Both services must be stopped before proceeding. This is to avoid any handshake errors when the server and node manager attempt TLS negotiation.
2) On the Spotfire server edit the following file (INSTALLATION_ROOT)\jdk\conf\security\java.security
3) Find the setting called "jdk.tls.disabledAlgorithms". Comment out any lines already declaring this parameter.
4) Create a new entry as follows :
jdk.tls.disabledAlgorithms=SSLv3,TLSv1.0, TLSv1.1, RC4, DES, \
MD5withRSA, \
DH keySize < 2048, \
EC keySize < 224, \
3DES_EDE_CBC, \
anon, \
NULL, \
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, \
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, \
TLS_DHE_RSA_WITH_AES_256_CBC_SHA, \
TLS_DHE_DSS_WITH_AES_256_CBC_SHA, \
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, \
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, \
TLS_DHE_RSA_WITH_AES_128_CBC_SHA, \
TLS_DHE_DSS_WITH_AES_128_CBC_SHA, \
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, \
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, \
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, \
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
5) Save the file and exit
6) The same must be done on the node manager. In this case the file is located (INSTALLATION_ROOT)\jdk\conf\security\java.security
7) Once both files have been edited, start the spotfire service first and once it's up start the node manager service.
8) A scan can be run on the node manager machine to verify the weak keys are no longer present.
E.g. Using the nmap tool on a Linux system we can evaluate ciphers used on port 443 on a node manager machine. Only DH keys > 1024 will be seen
# nmap -sV --script ssl-enum-ciphers -p 9443 192.168.1.135
Starting Nmap 7.80 ( https://nmap.org ) at 2022-07-12 17:32 BST
Nmap scan report for 192.168.1.135
Host is up (0.00064s latency).
PORT STATE SERVICE VERSION
9443/tcp open ssl/tungsten-https?
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
| warnings:
| Key exchange (dh 1024) of lower strength than certificate key
|_ least strength: A
MAC Address: 42:45:46:EE:E3:0F (Unknown)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.23 seconds
Comments
0 comments
Please sign in to leave a comment.