AnsweredAssumed Answered

Security Audit: FM Server Weakness Reported

Question asked by user28271 on Jul 31, 2018
Latest reply on Aug 8, 2018 by Koen Van Hulle

A client had a security audit and they reported the following issue


Does anyone have experience with this?


Issue 1:

SSL/TLS Server supports TLSv 1.0


The server-side SSL/TLS endpoint is configured to allow connections using TLS protocol version 1.0 which contains known weaknesses. TLS version 1.0 is vulnerable to multiple known man-in-the-middle attacks, including the BEAST and POODLE attacks. In addition, multiple standards organizations including NIST and PCI have declared that TLSv1.0 no longer provides sufficient data protection.


The server side TLS endpoint's configuration should be updated to allow only TLSv1.2 with cipher suites that use: Ephemeral Diffie-Hellman for key exchange (option, allow RSA for key exchange if necessary for supporting some clients), block ciphers with key length of at least 128 bits (AES-128 AES-256), block ciphers in GCM mode (optionally, allow ciphers in CBC mode if necessary for supporting some clients), the SHA2 family of hash functions (SHA256, SHA384, SHA512) for block ciphers in CBC mode if necessary, optionally, allow SHA 1 if necessary for supporting some clients.