How to set strict protocol or skip weak algorithms in your integrations?

-

 Hi! 

Today I would like to share a curious story related to the integration of Jira (adoptJDK 11) and the ERP system which works on old Java 6.

You would say to me, welcome to the "blood enterprise systems".

So during our security audit, IDS detected the non-secure protocol TLSv1.1 in that inter-connected communication Jira DC and that ERP system, correctly one of the cipher suites TLS_RSA_WITH_AES_128_CBC_SHA. Yes, it's an old cipher suite, and that tutorial can be used for any other cipher suite as well. 

How we can fix it? 

  1. Set string TLS protocol for all Jira (don’t forget for all nodes), TLS1.3 , TLS1.2. And please, keep in your mind the bug (JDK-8211806 : TLS 1.3 handshake server name indication is missing on a session resume)
  2. Adjust java.security configurations

 

Below table describe the small background and default protocols in your jdk/jre: 

 

JDK 8

(March 2014 to present)

JDK 7

(July 2011 to present)

JDK 6

(2006 to end of public updates 2013)

TLS Protocols

TLSv1.2 (default)

TLSv1.1

TLSv1

SSLv3

TLSv1.2

TLSv1.1

TLSv1 (default)

SSLv3


TLS v1.1 (JDK 6 update 111 and above)

TLSv1 (default)

SSLv3

JSSE Ciphers:

Ciphers in JDK 8

Ciphers in JDK 7

Ciphers in JDK 6

Reference:

JDK 8 JSSE

JDK 7 JSSE

JDK 6 JSSE

Java Cryptography Extension, Unlimited Strength (explained later)

JCE for JDK 8

JCE for JDK 7

JCE for JDK 6

Table 1. Diagnosing TLS, SSL, and HTTPS [1]

 

How to set the strong exact protocols? 

  1. {installation_directory}/bin/setenv.sh the next line, 
CATALINA_OPTS="-Djdk.tls.server.protocols=TLSv1.2 -Djdk.tls.client.protocols=TLSv1.2 ${CATALINA_OPTS}"

What we need to do if we have the next from InfoSec team:  

As part of the security scan, weak ciphers were identified and marked as ‘critical’ which require remediation. i.e. TLS_RSA_WITH_AES_128_CBC_SHA [highlighted below] to allow the project to proceed without an exception.

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK         256

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK             128

TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)   WEAK       128

So how to adjust the used algorithms? Just open the java installation directory in the next path {conf}/security/java.security.

Open via vim and adjust the next line:

jdk.tls.legacyAlgorithms= \
        K_NULL, C_NULL, M_NULL, \
        DH_anon, ECDH_anon, \
        RC4_128, RC4_40, DES_CBC, DES40_CBC, \
        3DES_EDE_CBC, \
        AES_128_CBC,  AES_256_CBC

Then you can validate if you use installation without a reverse proxy. 

 

nmap -script ssl-enum-ciphers -p 443  jiratest.example.com

Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-08 23:38 MSK
Nmap scan report for jiratest.example.com 
Host is up (0.013s latency).

PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A
|     compressors:
|       NULL
|     cipher preference: server
|     warnings:
|       Key exchange (ecdh_x25519) of lower strength than certificate key
|_  least strength: A
Nmap done: 1 IP address (1 host up) scanned in 12.16 seconds

For the inter-connection where Jira is a client, you can use tshark / wireshark to double check. 

Hope it helps.

 

Cheers,

Gonchik Tsymzhitov 

 

References:

  1. https://blogs.oracle.com/java-platform-group/diagnosing-tls,-ssl,-and-https
  2. https://www.java.com/en/configure_crypto.html
  3. https://bugs.java.com/bugdatabase/view_bug.do?bug_id=JDK-8211806

Comments

Post a Comment

Popular posts from this blog

Overview and practical use cases with open source tracing tool for Java Apps. Glowroot. Installation

-
Image
In that small article, you can find how to install the agent of Glowroot. Installation of the application is quite simple on agents, and this article shows a scheme for working with a built-in collector, but for industrial installations we use it with a bundle with elasticsearch. The installation can be both for individual nodes and so for the central collector. In this case, consider for a separate node. Prerequisites: {jira_home} - is location of Jira home directory. {jira_installation_directory} is the location of Jira installation directory.   Steps: Downloading the installer wget -c https://github.com/glowroot/glowroot/releases/download/v0.13.6/glowroot-0.13.6-dist.zip To check, create a directory via command   mkdir -p /{jira_home}/glowroot/tmp Let the Jira process write and set ownership for simplicity, but it is recommended that you just give the write ability to the owner of the Jira process. chown -R jira: /{jira_home}/glowroot We additionally set the argument to setenv.sh in
Read more

Atlassian Community, let's collaborate and provide stats to vendors about our SQL index usage

-
  Hi!  Gonchik is in touch. Today I would like to get a little bit of help from you related SQL indexes on your Jira installation (Data Center, Server edition does not matter).    I would like to share a story about  PostgreSQL  and  Jira 8.13.3  ( JSD 4.13.3 )  release.  In that post I will be happy if you answer and comment about your instance indexes, as those info can help to improve the existing situation of heavy indexes.  Typically, it starts from improvement of configuration (e.g. using  https://postgresqltuner.pl/ ),  then query analyzing, adding indexes, after removing as heavy one (shortly  https://wiki.postgresql.org/wiki/Index_Maintenance ) :)    I use like this query in PostgreSQL: SELECT s.schemaname,        s.relname AS tablename,        s.indexrelname AS indexname,        pg_size_pretty(pg_relation_size(s.indexrelid::regclass)) AS index_size,        idx_tup_read,         idx_tup_fetch,         idx_scan FROM pg_catalog.pg_stat_user_indexes s JOIN pg_catalog.pg_index i O
Read more

How only 2 parameters of PostgreSQL reduced anomaly of Jira Data Center nodes

-
Image
  Hello community, Gonchik Tsymzhitov is in touch. Today, I would like to share with you a short story about postgresqltuner.pl in usage.  So from previous articles I hope you configured the PostgreSQL server and postgresqltuner.pl.  After executing command, ./postgresqltuner.pl --ssd for ssd disks server. You can see like this output: postgresqltuner.pl version 1.0.1 [OK]      I can invoke executables Connecting to /var/run/postgresql:5432 database template1 as user 'postgres'... [OK]      The user account used by me for reporting has superuser rights on this PostgreSQL instance =====  OS information  ===== [INFO]    OS: linux Version: 5.4.17-2036.102.0.2.el8uek.x86_64 Arch: x86_64-linux-thread-multi [INFO]    OS total memory: 41.03 GB [OK]      vm.overcommit_memory is adequate: no memory overcommitment [INFO]    Running under a vmware hypervisor [INFO]    Currently used I/O scheduler(s): mq-deadline =====  General instance informations  ===== -----  PostgreSQL version  -----
Read more