CONNECT and Glassfish Security

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

CONNECT and Glassfish Security

Nick King
Deployment:
- CONNECT 4.4.1
- GlassFish 3.1.2.2

Hi,

We have a running deployment of CONNECT and Glassfish. We're trying to configure our deployment with the communication security settings required for a production deployment running on the eHealth exchange. A recent security audit concluded we had a number of security issues that needed resolving. These included:

- allowing connections with SSL v3 which is forbidden
- advertising a list of trusted CA cert names which is not recommended as it can be useful for attackers
- accepting certificates with an invalid OU name
- only supporting TLS 1.0, but it not accepting TLS 1.1 and TLS 1.2
- supporting some weak or insecure cipher suites

(All of these items are covered in the certificate FAQ. https://ehealthexchange.kayako.com/Knowledgebase/Article/View/7/0/the-sequoia-project-x509-certificate-faq )

We have been able to fix all of these apart from the following issue:

- removing the weak ciphers disables support for TLSv1.0/v1.1
- maintaining support for TLSv1.0/v1.1 requires supporting weak ciphers disables

We updated Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 7 to support more stronger cipher suites. It did enable support for the following ciphers but none of them work with TLSv1.0/v1.1.

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
TLS_DH_anon_WITH_AES_256_CBC_SHA256
TLS_EMPTY_RENEGOTIATION_INFO_SCSV

Firstly, do you have a solution for supporting TLSv1.0/v1.1 whilst removing support for all weak cipher suites?

Secondly, we would expect not to be the only deployment experiencing these issues. Are all security requirements met by a known different deployment configuration to ours? What is the advised deployment for ensuring these security requirements are met?

Thanks and we look forward to hearing back from you.