We have a running deployment of CONNECT and Glassfish. We're trying to configure our deployment with the communication security settings required for a production deployment running on the eHealth exchange. A recent security audit concluded we had a number of security issues that needed resolving. These included:
- allowing connections with SSL v3 which is forbidden
- advertising a list of trusted CA cert names which is not recommended as it can be useful for attackers
- accepting certificates with an invalid OU name
- only supporting TLS 1.0, but it not accepting TLS 1.1 and TLS 1.2
- supporting some weak or insecure cipher suites
We have been able to fix all of these apart from the following issue:
- removing the weak ciphers disables support for TLSv1.0/v1.1
- maintaining support for TLSv1.0/v1.1 requires supporting weak ciphers disables
We updated Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 7 to support more stronger cipher suites. It did enable support for the following ciphers but none of them work with TLSv1.0/v1.1.
Firstly, do you have a solution for supporting TLSv1.0/v1.1 whilst removing support for all weak cipher suites?
Secondly, we would expect not to be the only deployment experiencing these issues. Are all security requirements met by a known different deployment configuration to ours? What is the advised deployment for ensuring these security requirements are met?
Thanks and we look forward to hearing back from you.