DevTest 10.3.0 Security Vulnerability - SSL/TLS Diffie-Hellman Modulus <= 1024 Bits (Logjam)

Document ID : KB000117194
Last Modified Date : 09/10/2018
Show Technical Document Details
Issue:
Need to Remediate Security Vulnerabilities on DevTest 10.3 Dev Server.

SSL/TLS Diffie-Hellman Modulus <= 1024 Bits (Logjam)
TLS Version 1.0 Protocol Detection 
Environment:
DevTest 10.3.0
Resolution:
Open a new support case and refer to patch_DE377266_10.3.0_GA.jar.

SE created a patch that will now let us properly configure the desired cipher suites and SSL/TLS protocol versions for our ActiveMQ brokers, which allow for DevTest-to-DevTest communication including the Registry (running on port 2010). This is done using the same ciphers defined by the "lisa.server.https.cipher.suites" comma-delimited DevTest property to explicitly define the cipher suites that are used for VSE recording and playback 

This patch gets applied to where the Registry is running in the DEVTEST_HOME/lib/patches folder, if a patches folder does not exist, create one. 

In addition:

In the bin/Registry.vmoptions file, add the following line to make sure the key size for ephemeral Diffe-Hellman is 2048 bits: 

-Djdk.tls.ephemeralDHKeySize=2048 

In the local.properties file, add the "lisa.server.https.cipher.suites" property and define a list of cipher suites that don't contain any exportable cipher suites (which is one of the main causes of the Logjam attack) 

lisa.server.https.cipher.suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,\ 
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,\ 
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,\ 
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,\ 
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,\ 
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,\ 
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,\ 
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,\ 
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,\ 
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,\ 
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,\ 
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,\ 
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,\ 
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,\ 
TLS_DHE_RSA_WITH_AES_128_CBC_SHA,\ 
TLS_DHE_RSA_WITH_AES_256_CBC_SHA,\ 
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,\ 
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 

The Registry will have to be restarted. 

Re-scan shows this resolves this vulnerability.