Product: FID
Version: Any version
Weak Cipher Suites: They can be verified from web.log (available at <RLI_HOME>\vds\vds_server\jetty) while starting the server
Here are the list of the weak cipher suites:
TLS_RSA_WITH_AES_128_CBC_SHA |
(0x002F) |
TLS_DHE_RSA_WITH_AES_128_CBC_SHA |
(0x0033) |
TLS_RSA_WITH_AES_256_CBC_SHA |
(0x0035) |
TLS_DHE_DSS_WITH_AES_256_CBC_SHA |
(0x0038) |
TLS_DHE_RSA_WITH_AES_256_CBC_SHA |
(0x0039) |
TLS_RSA_WITH_AES_128_CBC_SHA256 |
(0x003C) |
TLS_RSA_WITH_AES_256_CBC_SHA256 |
(0x003D) |
TLS_DHE_DSS_WITH_AES_128_CBC_SHA |
(0x0040) |
TLS_RSA_WITH_AES_128_GCM_SHA256 |
(0x009C) |
TLS_RSA_WITH_AES_256_GCM_SHA384 |
(0x009D) |
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA |
(0xC004) |
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA |
(0xC005) |
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA |
(0xC009) |
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA |
(0xC00A) |
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA |
(0xC00E) |
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA |
(0xC00F) |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA |
(0xC013) |
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA |
(0xC014) |
To verify if any of your application is using these weak cipher suites, we can Enable Debug SSL in Settings from Control Panel and check it in vds_server.log
The first entry of “cipher suites” will be in the “ClientHello” section. The “cipher suite” that was being used, will be in the “ServerHello” section.
From the vds_server.log you can also filter on “type=host_name” and find all hosts hitting FID, and check the "ClientHello" and "ServerHello” section to see what cipher suites are negotiated between application and FID.
It is always suggested to check with your application team if they are using any weak cipher suites.
Comments
Please sign in to leave a comment.