CONNECT and Glassfish Security

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

CONNECT and Glassfish Security

Nick King
- CONNECT 4.4.1
- GlassFish


We have a running deployment of CONNECT and Glassfish. We're trying to configure our deployment with the communication security settings required for a production deployment running on the eHealth exchange. A recent security audit concluded we had a number of security issues that needed resolving. These included:

- allowing connections with SSL v3 which is forbidden
- advertising a list of trusted CA cert names which is not recommended as it can be useful for attackers
- accepting certificates with an invalid OU name
- only supporting TLS 1.0, but it not accepting TLS 1.1 and TLS 1.2
- supporting some weak or insecure cipher suites

(All of these items are covered in the certificate FAQ. )

We have been able to fix all of these apart from the following issue:

- removing the weak ciphers disables support for TLSv1.0/v1.1
- maintaining support for TLSv1.0/v1.1 requires supporting weak ciphers disables

We updated Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 7 to support more stronger cipher suites. It did enable support for the following ciphers but none of them work with TLSv1.0/v1.1.


Firstly, do you have a solution for supporting TLSv1.0/v1.1 whilst removing support for all weak cipher suites?

Secondly, we would expect not to be the only deployment experiencing these issues. Are all security requirements met by a known different deployment configuration to ours? What is the advised deployment for ensuring these security requirements are met?

Thanks and we look forward to hearing back from you.