[ST-203] TLSV1.0 PROTOCOL ENABLED - Workterra Jira

Details

Type: Enhancement
Status: Closed
Priority: Medium
Resolution: Unresolved
Component/s: BenAdmin
Labels:
- Security

Module:
BenAdmin - Security
Reported by:
Support
Item State:
Production Complete - Closed

Description

Vulnerability Description
Transport Layer Security (TLS) version 1.0 has been found to contain protocol-level weaknesses.

Impact
Given the theoretical nature of attacks on TLS 1.0, supporting TLS 1.0 is not a risk-oriented decision. That being said, history has shown that as cryptographic attacks age, they get stronger (i.e. easier to exploit).

Verification and Attack Information
Praetorian verified the TLS v1.0 protocol was enabled on the application server using SSLScan, an automated SSL/TLS scanning tool. The application server accepted the TLS v1.0 protocol, as shown in the images below.

Recommendation
Praetorian recommends following Mozilla’s SSL/TLS (see reference below) configuration suggestions as a guide for ciphersuite support. These configurations provide high-security and high-availability to SSL/TLS clients.

References
https://mozilla.github.io/server-side-tls/ssl-config-generator/
https://cipherli.st/
https://www.wolfssl.com/wolfSSL/Blog/Entries/2010/12/14_A_Comparison_of_TLS_1.1_and_TLS_1.2.html

Attachments

Activity

Hide

Permalink

Vijayendra Shinde (Inactive) added a comment - 31/May/16 05:59 AM

"IE 8.0 and IE 9.0 compatibilty should be removed.
Business need, As of not to be considered.

By design"

Show

Vijayendra Shinde (Inactive) added a comment - 31/May/16 05:59 AM "IE 8.0 and IE 9.0 compatibilty should be removed. Business need, As of not to be considered. By design"

People

Assignee:: Vijayendra Shinde (Inactive)

Reporter:: Vijayendra Shinde (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 31/May/16 05:58 AM

Updated:: 20/Sep/16 06:25 AM