Low: SHA-1 cipher suites were detected

Question

Low: SHA-1 cipher suites were detected

manojtyagi2021 opened this issue 3 years ago · 2 comments

manojtyagi2021 commented 3 years ago

Stratos Version

4.4.0

Frontend Deployment type

Cloud Foundry Application (cf push)
Kubernetes, using a helm chart
Docker, single container deploying all components
npm run start
Other (please specify below)

Backend (Jet Stream) Deployment type

Cloud Foundry Application (cf push)
Kubernetes, using a helm chart
Docker, single container deploying all components
Other (please specify below)

Expected behaviour

AppScan DAST scan should not flag SHA-1 cipher suites were detected

Actual behaviour

AppScan DAST scan flags SHA-1 cipher suites were detected

Steps to reproduce the behavior

AppScan DAST scans for Stratos URL https://ui.169.53.186.50.nip.io/api/v1/auth/verify.

The test result seems to indicate a vulnerability because AppScan determined that the site uses weak cipher suites by successfully creating SSL connections using each of the weak cipher suites listed here.

The following weak cipher suites are supported by the server:
Id Name SSL Version
47 TLS_RSA_WITH_AES_128_CBC_SHA TLS 1.2
53 TLS_RSA_WITH_AES_256_CBC_SHA TLS 1.2
65 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA TLS 1.2
132 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA TLS 1.2
49171 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS 1.2
49172 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS 1.2

Log output covering before error and any error statements

Insert log hereCopy

Detailed Description

Context

Possible Implementation

Change server's supported ciphersuites

Answer 1 · 2021-08-02T09:49:35.000Z

@manojtyagi2021 What site??

Please be careful when creating issues using automated tools to first read what it produces and then apply some context.

Answer 2 · 2021-08-16T10:52:37.000Z

No response, closing.