Adobe Experience Manager Sites & More

marcog69313552 · 12/4/24

Hello,
Our security team has runned an assessment with testssl tool [0] on our website provided with AEM (v6.5.16) and reported that:
- disable the deprecated RSA+SHA1 signature algorithm
- modify the application's TLS/SSL configuration by disabling the use of obsolete ciphers. In particular, it is necessary to disable the following ciphersuites: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

I had try to apply the steps described here [1] but seem they not to be have effect on testssl.sh report. So,
1- the guide [1] and steps are correct?
2- there are any other documentation that i can use to solve my problem?
3- i don't see any indication about how to "disable the deprecated RSA+SHA1 signature algorithm", could you help me with that?

Thanks

marco

[0] https://github.com/drwetter/testssl.sh?tab=readme-ov-file
[1] https://helpx.adobe.com/uk/experience-manager/kb/secure-AEM-against-newer-SSL-TLS-attacks-AEM.html

Tethich · 12/4/24

Hi @marcog69313552

Those 4 properties org.apache.felix.https.jetty.ciphersuites.* that Adobe's documentation is mentioning, should be in Apache Felix Jetty Based Http Serviceorg.apache.felix.http

I am only mentioning this because Adobe's doc was not very intuitive about it, for me at least.

Can you confirm is here where you actually made the changes ? Via system console ?

marcog69313552 · 12/5/24

Hi @Tethich

I am only mentioning this because Adobe's doc was not very intuitive about it, for me at least.
Can you confirm is here where you actually made the changes ? Via system console ?

actually i had try to modify the configurations through crx/de like mentioned here [1] (step 3, 4, 5).

Now I made the changes via system-console.

Unfortunately the testssl report still has the cipher suites excluded through configurations and also RSA+SHA1 signature algorithm.

[1] https://helpx.adobe.com/uk/experience-manager/kb/secure-AEM-against-newer-SSL-TLS-attacks-AEM.html

gkalyan · 12/5/24

@marcog69313552

Did you get a chance to restart & verify if your configurations took effect as per [1]

in these 2 configs before retesting with testing tool?

https://aem-host:port/system/console/jmx/java.lang%3Atype%3DRuntime

https://aem-host:port/system/console/configMgr/org.apache.felix.http.config

Regarding "RSA+SHA1 signature algorithm", Once you successfully remove the mentioned cipher suites, this should be gone too.

marcog69313552 · 12/6/24

Hi @gkalyan

Did you get a chance to restart & verify if your configurations took effect as per [1]
in these 2 configs before retesting with testing tool?
https://aem-host:port/system/console/jmx/java.lang%3Atype%3DRuntime
https://aem-host:port/system/console/configMgr/org.apache.felix.http.config

Yes of course, the configs are correctly applied.

Are there any type of "cached" config at the dispatcher level that i can check?

kautuk_sahni · 1/7/25

@marcog69313552 Did you find the suggestion helpful? Please let us know if you require more information. Otherwise, please mark the answer as correct for posterity. If you've discovered a solution yourself, we would appreciate it if you could share it with the community. Thank you!