SSL ciphers and algorithms

Similar Messages

• Disable weak ciphers and support for all SSL protocols prior to v3.

  I am very new to Weblogic and I need a little help with the SSL configurations. I received a security audit back and discovered that Weblogic's SSL is running weak ciphers and also supporting unacceptable versions of SSL (we require a minimum of SSLv3 and need to deny connections with anything less). That said, can anyone point me in the right direction for disabling weak ciphers as well as forcing support for SSLv3 and up only for client connections. I am running Weblogic 10.3.
  Edited by: David Pulliam on Jan 26, 2011 8:31 AM

  Hi David,
  -Dweblogic.security.SSL.protocolVersion=SSL3 —> Using this JAVA_OPTION will allow Only SSL V3.0 messages are sent and accepted. So add the mentioned JAVA_OPTION in the server start script along with the below OPTION:
  -Dweblogic.security.disableNullCipher=true
  Also you can do the following in your "config.xml" to make sure that the Weblogic will not accept weak and medium weak passwords:
  <ssl>
         <enabled>true</enabled>
        <ciphersuite>TLS_RSA_WITH_RC4_128_SHA</ciphersuite>
        <ciphersuite>TLS_RSA_WITH_RC4_128_MD5</ciphersuite>
        <hostname-verification-ignored>true</hostname-verification-ignored>
        <listen-port>7002</listen-port>
        <server-private-key-alias>aliasHere</server-private-key-alias>
        <server-private-key-pass-phrase-encrypted>encryptedpassphraseHere</server-private-key-pass-phrase-encrypted>
  </ssl>Thanks
  Jay SenSharma
  http://middlewaremagic.com/weblogic (Middleware magic Is Here)

• How To Restrict SSL Ciphers for iCal and Address Book

  Does anyone know how to set the allowed SSL ciphers for the Address Book and iCal services on Snow Leopard Server?

  Hi,
  There's a dedicated forum for Server customers.
  Good luck,
  S.

• Remote host supports the use of SSL ciphers that offer weak encryption

  Dear All,
  Our Internal security audit suggests to avoid the use of Week SSL ciphers for our SAP PI 7.0 servers.
  We have followed the SAP note 510007 - Setting up SSL on Web Application Server ABAP
  as mentioned in the point 6 we have added below parameter in the instance profile of application server  and restarted our server but still the issue is not resoved.
  ssl/ciphersuites=MEDIUM:HIGH:EXPORT:!LOW:!eNULL
  Clients are accessing our PI server through SAP Web dispatcher.
  Kindly suggest the action to be taken to resolve the issue.
  Please find the below comment from Audit.
  The remote host supports the use of SSL ciphers that offer weak encryption.
  Note: This is considerably easier to exploit if the attacker is on the same physical network
  Regards,
  Lalitha.

  Hi Jim,
  The remote host is the PI(7.0) server.
  PI server profile
  FN_JSTART = jcontrol$(FT_EXE)
  ssl/ciphersuites = HIGH:MEDIUM:!mMD5
  jstartup/recorder = java -classpath ../j2ee/cluster/bootstrap/launcher.jar com.sap.engine.offline.OfflineToolStart com.sap.engine.flightrecorder.core.Collector ../j2ee/
  cluster/bootstrap -node %nodeID% %startTime% -bz $(DIR_GLOBAL) âexitcode %exitcode%
  login/accept_sso2_ticket = 1
  SAPSYSTEMNAME = APQ
  SAPSYSTEM = 00
  INSTANCE_NAME = DVEBMGS00
  DIR_CT_RUN = $(DIR_EXE_ROOT)/run
  DIR_EXECUTABLE = $(DIR_INSTANCE)/exe
  jstartup/trimming_properties = off
  jstartup/protocol = on
  jstartup/vm/home = /opt/IBMJava2-amd64-142
  jstartup/max_caches = 500
  jstartup/release = 700
  jstartup/instance_properties = $(jstartup/j2ee_properties):$(jstartup/sdm_properties)
  j2ee/dbdriver = /oracle/client/10x_64/instantclient/ojdbc14.jar
  PHYS_MEMSIZE = 512
  exe/saposcol = $(DIR_CT_RUN)/saposcol
  rdisp/wp_no_dia = 10
  rdisp/wp_no_btc = 3
  exe/icmbnd = $(DIR_CT_RUN)/icmbnd
  rdisp/j2ee_start_control = 1
  rdisp/j2ee_start = 1
  rdisp/j2ee_libpath = $(DIR_EXECUTABLE)
  exe/j2ee = $(DIR_EXECUTABLE)/jcontrol$(FT_EXE)
  rdisp/j2ee_timeout = 1800
  rdisp/frfc_fallback = on
  icm/HTTP/j2ee_0 = PREFIX=/,HOST=localhost,CONN=0-500,PORT=5$$00
  icm/server_port_0 = PROT=HTTP,PORT=80$$
  # SAP Messaging Service parameters are set in the DEFAULT.PFL
  ms/server_port_0 = PROT=HTTP,PORT=81$$
  rdisp/wp_no_enq = 1
  rdisp/wp_no_vb = 1
  rdisp/wp_no_vb2 = 1
  rdisp/wp_no_spo = 1
  # Jcontrol: Migrated Profile Parameter
  #      create at Wed Mar 25 20:20:02 2009
  j2ee/instance_id = ID0079698
  Web dispatcher profile
  SAPSYSTEMNAME = WD0
  SAPSYSTEM = 00
  INSTANCE_NAME = W00
  DIR_CT_RUN = $(DIR_EXE_ROOT)/run
  DIR_EXECUTABLE = $(DIR_CT_RUN)
  wdisp/shm_attach_mode = 6
  # Accesssability of Message Server
  #rdisp/mshost = asapq00.b.com
  #ms/http_port = 8100
  #ms/https_port = 8101
  wdisp/system_0 = MSHOST=asapq00.b.com, MSPORT=8100, SID=APQ
  # Configuration for medium scenario
  icm/max_conn               = 16350
  icm/max_sockets            = 32768
  wdisp/HTTPS/max_pooled_con = 16350
  icm/req_queue_len          = 8000
  icm/min_threads            = 100
  icm/max_threads            = 500
  mpi/total_size_MB          = 700
  mpi/buffer_size            = 32768
  mpi/max_pipes              = 21000
  wdisp/HTTP/max_pooled_con  = 8192
  wdisp/HTTPS/max_pooled_con = 8192
  # SAP Web Dispatcher Ports
  icm/server_port_0 = PROT=HTTP,PORT=80,EXTBIND=1
  icm/server_port_1 = PROT=ROUTER,PORT=443,EXTBIND=1
  #icm/host_name_full= asapq00.b.com
  icm/host_name_full= qtyh2h.k.co.in
  icm/HTTP/admin_0 = PREFIX=/sap/wdisp/admin,DOCROOT=./admin,AUTHFILE=/sapmnt/WD0/global/security/data/icmauth.txt
  ssl/ssl_lib=/usr/sap/WD0/W00/sec/libsapcrypto.so
  wdisp/HTTPS/dest_logon_group = PUBLIC
  wdisp/HTTPS/max_client_ip_entries = 100000
  wdisp/HTTPS/sticky_mask = 255.255.255.0
  #Additional Parameters
  wdisp/add_client_protocol_header = true
  wdisp/auto_refresh = 120
  wdisp/max_servers = 100
  wdisp/handle_webdisp_ap_header = 1
  #Registering SAP Web Dispatcher in the SLD
  #wdisp/system_0 = HOST=asapq00.b.com, PORT=8100, SID=APQ, NR=00
  #Parameter to avoid week SSL ciphers
  ssl/ciphersuites=HIGH:MEDIUM:!mMD5
  Regards,
  Lalitha

• Weak SSL ciphers on Unity 5.0 server during a security scan

  Hello,
  We received informaition from our security team when they did a scan on our Unity server...."the remote host supports the use of SSL ciphers that offer weak encryption or no encryption at all"  I have found some articles on the web (Microsoft) to edit the registry key so that nothing lower than 128 bit encryption is accepted. I am looking for a Cisco paper to agree or disagree with this...can anyone help?
  Thank you.

  So, this isn't an uncommon security alert when you have your system scanned.  One thing to keep in mind is the placement of your server and who/what it is accessed for.  In any case, you're not likely to find a Cisco doc that references this specifically.  Instead, if you really want to move forward with making the appropriate registry changes then you'll want to open a TAC case and find out if this is supported or not.  In terms of further info on your issue:
  There is a McAfee article about making websites more secure.  It is here:  http://www.codeproject.com/KB/aspnet/MakeWebsiteMcAfeeSecured.aspx
  Your alert is referenced as follows:
  Vulnerability Name:  Weak Supported SSL Ciphers Suites
  Description
  The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all. This vulnerability is valid for all SSL/TLS sessions that are passing sensitive information.
  PCI defines strong cryptography, for secret key based systems, as anything above 80 bit encryption.
  Solution
  The solution to this is very simple but requires registry tweak again. Following are the steps:
  Click Start, click Run, type regedt32 or type regedit, and then click OK.
  In Registry Editor, locate the following registry key:HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders
                                \SCHANNEL\Ciphers
  Under the Cipher key, there are several Ciphers.
  Locate the ciphers which have encryption less than 128 bit.
  Create DWORD values named Enabled and Value 0 for each of them, just as the previous case.
  For convenience, I have marked them with red arrows in the picture above.
  System Restart is NOT required for this.
  Now the server is secured.
  The above mentioned security issues are the major ones that most of the systems have. However other than this, there may be some easy and minor vulnerabilities like:
  Using robots.txt in the pages. (Generally inserted by Web Marketing team to track user hit).
  Directory Scanner: Common directories are revealed. This can be resolved by URL rewriting and setting “Directory Browsing” off.
  Note: For the above vulnerabilities, minor registry tweaks will be necessary. So it is strongly recommended to back up the registry before doing anything. By any chance if something gets messed up, just delete the SCHANNEL key and restart the machine, the key will be auto-generated.
  Hailey
  Please rate helpful posts!

• How to change SSL ciphers on Oracle 9i?

  Setup - Windows 2003, Oracle 9.2.0.8 with Apache 1.3
  Vulnerability scan detected weak ciphers and MD5 SSL certificate installed on the server. After a looking around the server, the MD5 SSL certificate is Oracle Demo CA that gets installed in the ORACLE_HOME\Apache\conf\ssl.crt. This certificate is being used by the Oracle HTTP server. I need two things -
  - Disable SSL 2.0 and enable SSL 3.0/TLS 1.0 on Oracle Apache HTTP server
  - Delete the ssl.cert with MD5 and reissue with a stronger hashing method like SHA-256, SHA-512.

  Hi,
  I am aware about the option of change the current schema with current_schema settings but never heard that one can change teh database too.Some options that striked immediately are
  1) Connect with the same user to the other database with a different TNSnames entry.
  2) Stay in the database and use Db links to connect to the other database.
  Sorry never heard of this thing myself.
  Aman....

• Cannot access to any site with ssl connection and fail to open safari and keychain, unless restart computer and login in with Guest account.

  when Update to 10.7.2 ,I cannot access to any site with ssl connection and fail to open safari and keychain, unless restart computer and login in with Guest account.
  OS:10.7.2
  Macbook Pro 2010-mid 13inch

  I also have the same problem, however if I use Firefox or Opera sites with ssl connection work fine. Still, I can't use Google Chrome (ssl), Safari (ssl), the Mac app store (generally), or the iTunes store (generally). Both the iTunes store, Safari and the app store won't respond, and Chrome displays this error: (net::ERR_TIMED_OUT). The problem persists regardless of what network I'm using. Also, when trying to access the keychain or iCloud, the process will not start (will hang). I didn't have these problems at all before updating to 10.7.2.
  Sometimes rebooting helps, and sometimes not. If the problem disappears by rebooting, then it only lasts a few minutes before it reappears. It is very frustrating, especially since there doesn't seem to be any obvious or consistent way of which to fix it.
  I'm also using a Macbook Pro 13-inch mid 2010.

• Data Structures and Algorithms in java book

  Hi guys,
  I want to know a good book which is good for Data Structures and Algorithms in java. I am good at Core java but a beginner for Data Structures in Java. I am a little poor in Data Structures concepts.
  Following are the books I have found on the net. Could you help me the choose the best outta them.
  1. Data Structures and Algorithms in Java - Mitchell Waite
  2. Data Structures in Java - Sandra Anderson
  3. Fundamentals of OOP and Data Structures in Java - Richard Weiner & Lewis J. Pinson
  4. Object Oriented Data Structures Using Java - Nell Dale, Daniel T. Joyce, Chip Weems

  lieni wrote:
  I good data structures book doesn't have to be language-specific.Thx DrLazlo, my speachYes.
  The OP wrote:
  I have access to these books and dont know which one to start with.What I meant is that you shouldn't narrow your search to insist that the book you choose have "Java" in the title.

• SSL certificates and Web Services Usage inside Oracle Database Questions!

  We have implemented a specific business logic using PL/SQL for our client, so we open a file and process each line of this, doing something in the Database and also call a Web Services (Service1) using UTL_HTTP package. Service1 runs in a Windows 2008 Server in the DMZ as Database server.
  Service1 is already working, and we can call the service from PL/SQL without troubles.
  However, according with security client's policies they requires all Web services be consumed via https including Service1, so we must to follow the procedure established for Oracle in order to enable the calling of service1 via https from the Database.
  Our client's DBA and IT Team are concerned about two subjects before to continue to follow the certificate installation:
       - SSL Certificates:
  1- Can installed certificates in the Database put in risk the stability of the database?
            2- Can installed certificates in the Database generate performance issues?
            3- Can installed certificates reloading the Databases?
            2- Can installed certificates in the Database generate security issues?
       - Web services:
  1- Can web services calling from the Database put in risk the stability of the database?
  2- Can web services calling from the Database generate performance issues?
  3- Can web services calling from the Database generate security issues in the DMZ?
  Could you please give us any clues, about the possible negative impact related with the SSL certificates and Web Services Usage inside Oracle Database, if it’s the case this impact exists?.
  Those are the links describing the procedure mentioned above.
  1 -http://www.kotti.es/2009/11/oracle-wallet/
  DB: Oracle 9i.
  Average number of lines in file: 300
  Periodicity: Twice at day.

  Thiago:
  You are correct in that there should be no problem interacting with a Web service that has an HTTPS endpoint as long as you create a wallet and specify it when you make your UTL_HTTP calls, like the PayPal example.
  I am not aware of a PL/SQL utility to create a XMLDsig Standard message, but if you find some Java source out there that does it, you may be able to follow a technique I used for a similar use case:
  http://jastraub.blogspot.com/2009/07/hmacsha256-in-plsql.html
  Regards,
  Jason

• SSL Accelerators and WLS???

  The web applications that I'm being asked to build will involve heavy
  use of SSL encryption thoughout. In fact, most of the user interactions
  will be handled over an SSL connection. I know what heavy SSL traffic
  can do to CPU utilization...
  One of the architectural components that we are considering is the use
  of hardware SSL accelerators. We're considering this as a way to make
  the user interaction snappier and to support more concurrent users on a
  single web/app server.
  The one that we are considering is nFast from http://www.ncipher.com/.
  It supports Netscape Enterprise on Solaris, which is our probable
  development/deployment environment. This would, of course, preclude us
  from using WLS as the web server.
  Question #1: In heavily SSL-ified web applications, does BEA reccomend
  the use of an external web server, or will WLS-as-http-server handle the
  job just as well as NES? What experiences have people had using
  WLS-as-http-server in SLL-intensive environments?
  Question #2: Are there any SSL accelerator products out there that
  support the WLS HTTP server? I doubt there are, but it couldn't hurt to
  ask.
  Question #3: By using an external web server (NES on Solaris, for
  example) is there a noticable decrease in servlet performance due to the
  fact that your servlets are now running in a separate process?
  Thanks for your feedback,
  jason

  We are using this box in production. Its very simple, it significantly
  increases load times, and it simplifies the backend architecture since you
  wont have to worry about https, every request is turned into an http
  request. Its around 13K, but I would think the benefits are worth the money
  for anything but lightly loaded sites.
  -eric
  [email protected]
  "Herman Burema" <[email protected]> wrote in message
  news:[email protected]..
  Intel seems to have an interesting product. It's called IntelNetstructure
  7180 e-Commerce Director. It's a bit pricy. Please let me know if anyoneknows
  an alternative.
  http://www.intel.com/network/products/director_7180.htm
  Russell Castagnaro wrote:
  Aren't there some products that just do all of the SSL and the server
  just
  acts like a standard http server??
  Bryan O'Sullivan wrote:
  j> me 4
  We are aware that customers want this feature, don't worry. The
  problem is that the integration between Java SSL products and hardware
  from vendors like Rainbow and NCipher is immature at the moment, so
  it's a lot of work for us to get this done.
  It is pretty high on our list, though, so you will see something just
  as soon as we've built and tested it.
  <b
  Let us pray:
  What a Great System.
  Please Do Not Crash.
  ^G^IP@P6--
  Russell Castagnaro
  Chief Mentor
  SyncTank Solutions
  http://www.synctank.com
  Earth is the cradle of mankind; one does not remain in the cradleforever
  -Tsiolkovsky

• Need links for data structure and algorithms.

  Hi.
  I am just new to java but need to learn data structure and algorithms.
  Do your guys got any good links or bbs to learn?
  Thanx in advance

  http://www.amazon.com/exec/obidos/tg/detail/-/1571690956/ref=cm_huw_sim_1_3/104-7657019-1043968?v=glance
  http://www.amazon.com/exec/obidos/tg/detail/-/0534376681/ref=cm_huw_sim_1_4/104-7657019-1043968?v=glance
  http://www.amazon.com/exec/obidos/tg/detail/-/0672324539/ref=cm_huw_sim_1_2/104-7657019-1043968?v=glance
  http://www.amazon.com/exec/obidos/tg/detail/-/0201775786/qid=1060946080/sr=8-1/ref=sr_8_1/104-7657019-1043968?v=glance&s=books&n=507846
  $8 for the first

• SSL Session and Connection

  What is the difference between SSL Session and Connection. I understand, that session is negotiation of parameters and connections are built upon the sessions. But please help me understand, how it works in practicaly as in when using a Any connect client or browser, how does it function.

  How about something like:
  // It appears there may be issues with TLS...
  // so to prevent it from being used, we'll be
  // specific...SSLv3
  SSLContext context = SSLContext.getInstance("SSLv3");
  context.init(kmFactory.getKeyManagers(), null, null);
  SSLSocketFactory ssf = context.getSocketFactory();
  com.sun.net.ssl.HttpsURLConnectionHttpsURLConnection.setDefaultSSLSocketFactory(ssf);
  That do ya?
  -michael

• Vulnerabilities in SSL Ciphers Suites Discovered - WCS bug CSCsx53619

  Hi Guys,
  There is a pending issues with WCS when our AUDIT scan the WCS server running in WINDOWS 2003 the HTTPS services is running with a weak ciphers and i open a case to CISCO and provide me a bug ID CSCsx53619, WCS currently using a weak ciphers that requires to be improve and this needs to be escalated to the developer.
  regards
  Cesar

  Hi Surendra,
  Any target date of the release, like next month or Q1 of 2011.
  Thanks
  Cesar

• Customization of service programs and algorithms

  HI Friends,
  How can I prepare customized service programs and algorithms according to our requirments in cc&b.what is IDE that should I opt for this customization and what is procedure that i should fallow and how can i implement these programs.can any body suggest me as i am new to cc&b.
  thanks and regards
  sivaram

  Thanks for your reply ,
  Actually i want to create My own UI and Algorithms ,Bussiness objects and maitenance object and meta data fields in ccb.i created All the meta data fields and maintenance object ,know about UI.Next can i know what is the procedure to connect these ui program with BO's and MO''s .
  Is any Plugin available for eclipse,if possible can you tell me in detail,if plugin available how can i configure ccb project into eclipse and deployement procedures.I installed CCB by using weblogic server.
  can you Help me out..
  thanks and regards
  sivaram

• Customization of serviceprograms and algorithms

  HI Friends,
  How can I prepare customized service programs and algorithms according to our requirments in cc&b.what is IDE that should I opt for this customization and what is procedure that i should fallow and how can i implement these programs.can any body suggest me as i am new to cc&b.
  thanks and regards
  sivaram

  Pl indicate what this issue has to do with database installs, which is the topic of this forum. Pl re-post in a more appropriate forum.
  HTH
  Srini