Securing CACAO - SSL cipher strength

Similar Messages

• Securing DSEE - configuring CACAO SSL ciphers?

  Is there -any- possible way to set the SSL cipher suites that cacao uses? I've tried nearly everything I can think of, and no matter what it does not make a difference.
  I've already managed to get the actual LDAP SSL port running on high strength ciphers, the Java webconsole (port 6789) on high strength ciphers.. the only thing left is cacao on ports 11163, and 11164 (commandstream and the RMI registry)
  Anyone?

  Just an update, opened a ticket and got this response.
  <quote>
  Cacao uses the default set of ciphers offered by the Java Virtual Machine for TLSv3, as per the standard, which means that it supports a list of ciphers, the weakest of which is DES which is what triggers the scanner's alert.
  Whilst it therefore supports the weaker encryption for clients that specifically request it, the Java client libraries also use the same set of ciphers offered by the Java Virtual Machine, TLSv3 negotiation always choses the strongest cipher suite, and so this supported cipher is not used.
  As such, there will never be any communication performed by the product using the weaker cipher suites, and this can be considered a 'false positive' in the automated detection of "supported" cipher suites - supported, yes -but used - no.
  I hope that this can help explain why the automated scanner - which is deliberately trying to establish a connection with the DES cipher to see if it can - is reporting the false positive.
  </quote>
  Hope this helps others!

• SSL Medium Strength Cipher Suites Supported vulnerability

  Kind of an odd thing.  We just had a vulnerability scan and a 2960 got pinged for supporting medium strength SSL cipher suites.  I say strange cause I have 3 others that have the same IOS image and they didn't get pinged.  Swap out the management IP address and they are all the same.  They are all running 12.2(52)SE C2960-LANBASEK9-M, with a 768 bit keys.  Here is the text of the vulnerability :
  Synopsis : The remote service supports the use of medium strength SSL ciphers. Description : The remote host supports the use of SSL ciphers that offer medium strength encryption, which we currently regard as those with key lengths at least 56 bits and less than 112 bits.
  Reconfigure the affected application if possible to avoid use of medium strength ciphers. / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) Plugin output : Here are the medium strength SSL ciphers supported by the remote server : Medium Strength Ciphers (>= 56-bit and < 112-bit key) SSLv3 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 TLSv1 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}
  Can someone point me in the right direction on how to re-configure the switch to pass this test?
  Thanks
  Poirot

  I believe the alert there is because you are using a 768 key which was broken recently (Jan 2010 a paper was published on it with results from efforts that took 4 years to break 768 keys). 768bit RSA keys is not considered secure enough any more.
  I would suggest you to configure keys of 1024 on these switches and try again.
  I hope it helps.
  PK

• Default Cipher Strength in Internet Explorer 11

  Hello,
  I noticed that the cipher strength is not displayed in the About box with the upgrade to IE 11.  In previous versions of IE however it did display there. Does IE 11 by default set the cipher strength to zero?  From research on other forums
  I know that you can go to tools>interent options and change settings under the Security and Advanced tabs to enable the cipher strength, but was wondering if the default for IE 11 is that the cipher strength is automatically set to zero and you'd
  have to go in and enable this manually.
  Your responses in this matter are much appreciated. Thanks in advance! =)
  -E

  Hi,
  on which website are you being denied access? Usually these are Banking websites.
  this occurs because some websites are incorrectly detecting the version of your web browser.
  Select the Tools>Report web page problem to report it to MS (the website) or contact the help/support desk of the website (support links and phone numbers are at the bottom of their web pages)
  Questions regarding Internet Explorer 8, 9 and 10 and Internet Explorer 11 for the IT Pro Audience. Topics covered are: Installation, Deployment, Configuration, Security, Group Policy, Management questions. If you are a consumer looking for answers or to
  raise a question, it's highly recommended you head on over to http://answers.microsoft.com/en-us
  Include with your questions links to any websites you are having problems with and the complete text of any error messages you receive from the browser or web site.
  Regards.
  Rob^_^

• Whats the encryption method & cipher strength that I should choose?

  Whats the encryption method & cipher strength that I should choose if I deploy the mbam to both Windows 7 and Windows 8 computers?
  Jason

  Well, the answer is- it depends.
  What is the objective of your encryption? with 128  AES; the bits used to encrypt data is lesser than that of 256 AES so you are more secure with 256 AES than if you have selected 128 AES; the flip side is this- since data encryption and decryption
  is done on the fly when the machine is booted up; performance penalty- how minuscule it is will be more in the drives that are encrypted with 256 AES. 
  Mayank Sharma Support Engineer at Microsoft working in Enterprise Platform Support.

• Securing file download with standard web security and ssl

  Hi,
  I want to put some files for download in my webapp. At the same time, I want to protect these files using standard servlet security and ssl. So I added <security-constraint> in my web.xml and configured tomcat to allow SSL connection. Now I got the files protected as I expected. When I try to access the file directly from browser, tomcat shows me the login page. However, after correct login, I.E. pops up an error saying something like "Internet Explorer cannot download XXX from XXX. The file could not be written to the cache.". The log file showed the following exception:
  javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLException: java.net.SocketException: Connection reset by peer: socket write error
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.checkEOF(SSLSocketImpl.java:1154)
       at com.sun.net.ssl.internal.ssl.AppInputStream.available(AppInputStream.java:40)
       at org.apache.tomcat.util.net.TcpConnection.shutdownInput(TcpConnection.java:90)
       at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:752)
       at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:526)
       at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80)
       at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)
       at java.lang.Thread.run(Thread.java:595)
  Caused by: javax.net.ssl.SSLException: java.net.SocketException: Connection reset by peer: socket write error
       at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:166)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1476)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1443)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1407)
       at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:64)
       at org.apache.coyote.http11.InternalOutputBuffer.realWriteBytes(InternalOutputBuffer.java:747)
       at org.apache.tomcat.util.buf.ByteChunk.flushBuffer(ByteChunk.java:403)
       at org.apache.coyote.http11.InternalOutputBuffer.endRequest(InternalOutputBuffer.java:400)
       at org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:961)
       at org.apache.coyote.Response.action(Response.java:182)
       at org.apache.coyote.Response.finish(Response.java:304)
       at org.apache.catalina.connector.OutputBuffer.close(OutputBuffer.java:281)
       at org.apache.catalina.connector.Response.finishResponse(Response.java:473)
       at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:151)
       at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:825)
       at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:738)
       ... 4 more
  Caused by: java.net.SocketException: Connection reset by peer: socket write error
       at java.net.SocketOutputStream.socketWrite0(Native Method)
       at java.net.SocketOutputStream.socketWrite(SocketOutputStream.java:92)
       at java.net.SocketOutputStream.write(SocketOutputStream.java:136)
       at com.sun.net.ssl.internal.ssl.OutputRecord.writeBuffer(OutputRecord.java:283)
       at com.sun.net.ssl.internal.ssl.OutputRecord.write(OutputRecord.java:272)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:663)
       at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
       ... 15 more
  I've tried separating concerns, for example protect files but not require SSL, and enable SSL but do not protect files. Both works respectively but not together. I also tried using a download4j's DownloadServlet. Still doesn't work.
  Have any of you encouter the same situation? If so, could you enlight me what I did wrong? It maybe just a simple SSL configuration or something. Thanks in advance!
  Jack

  My environment setup is:
  JDK 1.5.01
  Tomcat 5.5.7
  For downloading files, I just use plain old <a href> method. I simply right-click the link and choose "save target as...".
  Thanks,
  Jack

• Flash player not working on internet explorer 8 cipher strength 128-bit

  PLEASE HELP!
  I'Mm using Windows XP and Internet Explorer 8 with cipher strength 128-bit and Flash player does not work properly, like when I want to watch a music video or listen to music on You Tube it plays then stops and plays and stops continuously I have installed the latest Flash Player but still have the same problem.
  Please please help anyone!

  That sounds like you either have a very slow Internet connection, or the server at the other end (providing the video) is slow.
  Try clearing your Internet cache; this helps sometimes.

• Servlet security with SSL

  Hello All,
  I am fairly knew to Java and Tomcat etc as I came from a non Java\Tomcat previous role but have inherited a project which is a Java servlet (Java 1.6.0.29) running on Windows with Tomcat (Tomcat 7) as the container. The servlet communicates with both an Oracle database on a Unix server and a SQL server database on a Windows server. I now require to secure the communication with the SQL Server database using SSL (Two way communication) and would really like some straight forward guidance on how to do this, i.e. what exactly do I do?
  I ask this because there is a lot of information on the Tomcat website and other web sites but I find it becomes very ambiguous and confusing. They mostly talk about setting up a Keystore for the root certificate on the server and then say nothing about the "client". In my servlets situation the server hosting the SQL server is the "server" and the server hosting the servlet is the "client". The server hosting the servlet ("the client") already has a keystore set up on it to handle the encryption to the Oracle database and a entry to suit in the Tomcat server.xml file.
  Any assistance would be greatly appreciated. I am really stuck with this
  Thank you in advance
  Alanjo

  On 01/14/2014 06:11 AM, Alan Farroll wrote:
  > Hi all,
  >
  > I could not find a more appropriate forum in Eclipse for this question
  > so have placed it in newcomers as I am still quite new to Java\Eclipse
  >
  > We are working on a Java servlet application that involves security with
  > SSL to allow the servlet to run from a server outside our firewall and
  > interrogate databases inside our firewall. It runs on Tomcat 7 and built
  > on Java 1.6.0.29
  >
  > We have had no problems running the servlet on the Test server within
  > the firewall but when running on the Live server outside the firewall
  > the SoapUI request returns nothing and the current Tomcat log error is
  > "java.lang.RuntimeException: Could not generate dummy secret"
  >
  > The problems seem to be with the jce.jar and the sunJCE_provider.jar.
  >
  > Has anybody any assistance they could provide please.
  >
  > Thanks in advance
  >
  > AJF
  The live server doesn't have access to the right JARs? Maybe this will help?
  http://www.javahotchocolate.com/notes/jce-policy.html

• How to add a Cipher Suite using RSA 1024 algorithm to the 'SSL Cipher Suite Order' GPO

  Following a VA test the Default Domain GPO has been set to enable the SSL Cipher Suite Order.  Following the change Symantec Endpoint Protection Manager doesn't work properly as the the Home, Monitors and Reports pages are blank and an Schannel error is
  logged in the SEPM server's event log.
  I have spoken to Symantec and I have been told that we need to allow the RSA 1024 bit algorithm but they can't tell me which cipher suite this would be.  I have looked in the GPO setting and can't see an RSA 1024 suite but have found some in this article:
  http://tools.ietf.org/html/draft-ietf-tls-56-bit-ciphersuites-01
  I want to know how to add an additional cipher suite into the setting safely.  Am I able to just add the suite into the GPO setting (eg TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA) or do I need to do anything else beforehand?
  If anyone has any advice regarding this or cipher suite orders and troubleshooting SSL problems it would be much appreciated,
  Thanks
  Chris

  Hi Chris,
  Based on my research, RSA_EXPORT1024_DES_CBC_SHA is a previous cipher suite, which is supported, you can enable it use
  SSL Cipher Suite Order policy setting under Administrative Templates\Network\SSL Configuration Settings.
  More information for you:
  TLS/SSL Cryptographic Enhancements
  http://technet.microsoft.com/en-us/library/cc766285(v=WS.10).aspx
  Best Regards,
  Amy

• Usage of Security.setProperty("ssl.SocketFactory.provider",myCustomSock...)

  While using java mail API, to establish a secure connection with the target server, we use a property object to set any custom socket factory like the following:
  props.setProperty( "mail."+ protocol + ".socketFactory.class", "com.realops.adapter.mail.ssl.CustomSSLSocketFactory")
  We also set our custom socket factory in the security api like:
  Security.setProperty( "ssl.SocketFactory.provider", "com.realops.adapter.mail.ssl.CustomSSLSocketFactory");
  Just wanted to know the difference b/w these two lines.
  We pass the properties object while creating a javamail session. So it will pick the custom socket factory from the properties object, in this case do we still need to set the custom socket factory in the Security API?
  Thanks.

  Thanks for the answer.
  Can you please also tell me how Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider()) is functionally different from Security.setProperty( "ssl.SocketFactory.provider",...).
  Do we always need to 'add' the provider if we are using the Sun's default socket factory or can we simple use local properties object for setting the sun's default socket factory also (assuming it is to be used by java mail only)?
  Should I post a separate thread for this?
  Much Thanks.

• SSL cipher suites with v3

  Any way to adjust which SSL cipher suites are used with the messaging agent on version 3 of messenger? There are a few that are not compatible with our firewall and we need to disable them. It's keeping iOS clients from connecting.

  Palo Alto Networks firewall. We enforce SSL decryption on all traffic and any suite that uses Diffie-Hellman key exchange isn't supported. Has to be RSA key exchange.
  Originally Posted by ahidalgo
  Which SSL cipher suites are not compatible with your firewall, just curious. Whose firewall are you using?
  Al
  On 2/27/2015 at 9:26 PM, jarrodholder<[email protected]> wrote:
  Any way to adjust which SSL cipher suites are used with the messaging
  agent on version 3 of messenger? There are a few that are not
  compatible with our firewall and we need to disable them. It's keeping
  iOS clients from connecting.
  jarrodholder
  jarrodholder's Profile: https://forums.novell.com/member.php?userid=1616
  View this thread: https://forums.novell.com/showthread.php?t=482111

• What is the cipher strength of firefox 4 ?

  IE 9 tells us about the browser strength which is 256 bit cipher strength. So what is the browser strength for Firefox 4 ?

  Firefox did support 256 bit ciphers (AES-256) since 2002 in Firefox 2. IE only added that recently.
  * https://developer.mozilla.org/en/Security_in_Firefox_2
  See also:
  * https://www.fortify.net/sslcheck.html

• Inconsistent Security Configuration - SSL

   

  The problem appears to be that the version of WLS your using is only for
  export, not domestic.
  You should contact your account rep to discuss how to obtain a domestic
  strenght kit
  Paul Patrick
  "Waldemar Thiel" <[email protected]> wrote in message
  news:[email protected]..
  Hi all
  I've got certificate for my server (WBL 5.1) and ...
  <Security> 1 certificate(s): fingerprint = b566b9920c64eb6f55d2e... -that is
  ok.
  <Security> WARNING: Exportable (weak) WebLogic Server build running and
  domestic (full) strength SSL license detected. Only exportable strengthSSL
  connections will be accepted.
  <SSLListenThread> Inconsistent Security Configuration,java.lang.Exception:
  Using a domestic (full) strength certificate with an exportable (weak)
  strength WebLogic Server build.
  <Security> Not listening for SSL: java.io.IOException: InconsistentSecurity
  Configuration, java.lang.Exception: Using a domestic (full) strength
  certificate with an exportable (weak) strength WebLogic Server build.
  What to do ? Thanks for any help.
  Waldemar Thiel
  PS. my key is 1024 length... and CA is thawte

• What is the encryption rate/cipher strength for Firefox 3.6.13?

  need to find encryption rate

  Firefox supports TLS1.0/SSL 3.0 using (at least):
  3DES (56*3bit)(Paypal)
  RC4 (128bit)(Google , and etc)
  AES128/256(most commonly used)
  Camellia (256bit)(Geotrust, and etc)
  All of them are literally safe, with the Electronic certificate system ,RSA/DH cipher key exchange methods, and SHA1 + MD5 cheksum hash algorithm.
  Since SHA1 and MD5 are not strong enough, the higher version of TLS(1.1/1.2) use SHA512 instead.
  See "Transport Layer Security" on wikipedia for detailed information
  http://en.wikipedia.org/wiki/Transport_Layer_Security

• Cannot send email via Hotmail through port 587 with Secure Connection (SSL) set

  Something is blocking my attempts to send email (with Outlook Express) via my hotmail.com account. The error I receive is as follows:
  Your server has unexpectedly terminated the connection. Possible causes for this include server problems, network problems, or a long period of inactivity. Account: 'Hotmail', Server: 'smtp.live.com', Protocol: SMTP, Port: 587, Secure(SSL): Yes, Error Number: 0x800CCC0F
  When Hotmail.com first changed over to a POP3 server (Sept 2009), I could send emails through them using port 587, which they require. But then something happened, with no changes on my part, to disable my ability to send.
  I have checked and rechecked my Outlook Express account settings. I can send email through another third-party mail account (at 1&1 Internet.com) using port 587, which does not require setting SSL to yes. I can also ping the Hotmail SMTP server via port 587 and receive a response from it.
  I connect to Verizon DSL via a Westell 327W modem/router. Clearly it is not blocking port 587 without SSL. Does it have the capability to block SSL traffic? Or is the Verizon server the culprit, not allowing emails to be sent via Hotmail.com?
  Two different computers on my LAN have the same problem sending emails via Hotmail.com. I have tried everything the Hotmail people have suggested; at this point they think it is an ISP problem, hence this post. This problem doesn't make sense to me and is driving me crazy. Can anyone help me with this?
  Thanks.

  You can still have your reply address set to your hotmail address. And you don't have to really remember to do anything. Configure your client for the HOTMAIL account with Verizon's outgoing server. It will automatically send via Verizon. You don't reveal your verizon.net address, you are just using their server to transmit.
  If a forum member gives an answer you like, give them the Kudos they deserve. If a member gives you the answer to your question, mark the answer as Accepted Solution so others can see the solution to the problem.
  "All knowledge is worth having."