To remediate vulnerability "Birthday attacks against TLS ciphers with 64bit block size vulnerability

Document ID : KB000008985
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

"Birthday attacks against TLS ciphers with 64bit block size vulnerability (Sweet32)" in our XML gateway servers. 
CVE-2016-2183 

even after updating latest patch provided, vulnerability is still there. 

 

ftp://ftp.ca.com/pub/API_Management/Gateway/Platform_Patch/v8.x/CA_API_PlatformUpdate_64bit_v8.1-RHEL-2017-09-29.L7P 

Environment:
API Gateway 9.2 / API Gateway 8.4
Cause:

caused by selecting DES ciphers

Resolution:

For port 8443 or any other port that the customer has configured a listening port for, you can edit the cipher list.

From Policy Manager's Task menu -> Transports -> Manager Listen Port -> Select port 8443 or any other HTTPS protocol port that customer would like to configure -> Click Properties -> SSL/TSL Settings tab -> Unselect last six or so ciphers that has "DES" in them  

DES option was left in for customers wanting to maintain legacy client support. Turning off DES ciphers should make the scan result much cleaner for the customer.