Medium: Weak cipher suites were detected : Perfect Forward Secrecy is not supported

Question

Medium: Weak cipher suites were detected : Perfect Forward Secrecy is not supported

manojtyagi2021 opened this issue 3 years ago · 2 comments

manojtyagi2021 commented 3 years ago

Stratos Version

4.4.0

Frontend Deployment type

Cloud Foundry Application (cf push)
Kubernetes, using a helm chart
Docker, single container deploying all components
npm run start
Other (please specify below)

Backend (Jet Stream) Deployment type

Cloud Foundry Application (cf push)
Kubernetes, using a helm chart
Docker, single container deploying all components
Other (please specify below)

Expected behaviour

AppScan DAST scan should not report Weak cipher suites were detected:Perfect Forward Secrecy is not supported vulnerability

Actual behaviour

AppScan DAST scan reports Weak cipher suites were detected :Perfect Forward Secrecy is not supported vulnerability

Steps to reproduce the behavior

AppScan DAST scans for Stratos URL https://ui.169.53.186.50.nip.io/api/v1/auth/verify.

The test result seems to indicate a vulnerability because AppScan determined that the site uses weak cipher suites by successfully creating SSL connections using each of the weak cipher suites listed here.

The following weak cipher suites are supported by the server:
Id Name SSL Version
47 TLS_RSA_WITH_AES_128_CBC_SHA TLS 1.2
53 TLS_RSA_WITH_AES_256_CBC_SHA TLS 1.2
60 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS 1.2
61 TLS_RSA_WITH_AES_256_CBC_SHA256 TLS 1.2
65 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA TLS 1.2
132 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA TLS 1.2
156 TLS_RSA_WITH_AES_128_GCM_SHA256 TLS 1.2
157 TLS_RSA_WITH_AES_256_GCM_SHA384 TLS 1.2
186 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 TLS 1.2
192 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 TLS 1.2
49232 TLS_RSA_WITH_ARIA_128_GCM_SHA256 TLS 1.2
49233 TLS_RSA_WITH_ARIA_256_GCM_SHA384 TLS 1.2
49308 TLS_RSA_WITH_AES_128_CCM TLS 1.2
49309 TLS_RSA_WITH_AES_256_CCM TLS 1.2
49312 TLS_RSA_WITH_AES_128_CCM_8 TLS 1.2
49313 TLS_RSA_WITH_AES_256_CCM_8 TLS 1.2

Log output covering before error and any error statements

Insert log hereCopy

Detailed Description

Context

Possible Implementation

Change server's supported ciphersuites

Answer 1 · 2021-08-02T09:46:45.000Z

@manojtyagi2021 What site??

Please be careful when creating issues using automated tools to first read what it produces and then apply some context.

Answer 2 · 2021-08-16T10:52:19.000Z

No response, closing.