Obsolete Ciphers And TLS signature - Secure AEM against various SSL / TLS vulnerabilities

Forum|Forum|1 year ago
December 4, 2024
2 replies
1223 views

Hello,
Our security team has runned an assessment with testssl tool [0] on our website provided with AEM (v6.5.16) and reported that:
- disable the deprecated RSA+SHA1 signature algorithm
- modify the application's TLS/SSL configuration by disabling the use of obsolete ciphers. In particular, it is necessary to disable the following ciphersuites: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

I had try to apply the steps described here [1] but seem they not to be have effect on testssl.sh report. So,
1- the guide [1] and steps are correct?
2- there are any other documentation that i can use to solve my problem?
3- i don't see any indication about how to "disable the deprecated RSA+SHA1 signature algorithm", could you help me with that?

Thanks

marco

[0] https://github.com/drwetter/testssl.sh?tab=readme-ov-file
[1] https://helpx.adobe.com/uk/experience-manager/kb/secure-AEM-against-newer-SSL-TLS-attacks-AEM.html

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.

Tethich

Community Advisor

Hi @marcog69313552

Those 4 properties org.apache.felix.https.jetty.ciphersuites.* that Adobe's documentation is mentioning, should be in Apache Felix Jetty Based Http Serviceorg.apache.felix.http

I am only mentioning this because Adobe's doc was not very intuitive about it, for me at least.

Can you confirm is here where you actually made the changes ? Via system console ?

M

marcog69313552Author

Hi @Tethich

I am only mentioning this because Adobe's doc was not very intuitive about it, for me at least.
Can you confirm is here where you actually made the changes ? Via system console ?

actually i had try to modify the configurations through crx/de like mentioned here [1] (step 3, 4, 5).

Now I made the changes via system-console.

Unfortunately the testssl report still has the cipher suites excluded through configurations and also RSA+SHA1 signature algorithm.

[1] https://helpx.adobe.com/uk/experience-manager/kb/secure-AEM-against-newer-SSL-TLS-attacks-AEM.html

gkalyan

Community Advisor and Adobe Champion

@marcog69313552

Did you get a chance to restart & verify if your configurations took effect as per [1]

in these 2 configs before retesting with testing tool?

https://aem-host:port/system/console/jmx/java.lang%3Atype%3DRuntime

https://aem-host:port/system/console/configMgr/org.apache.felix.http.config

Regarding "RSA+SHA1 signature algorithm", Once you successfully remove the mentioned cipher suites, this should be gone too.

kautuk_sahni

Community Manager

@marcog69313552 Did you find the suggestion helpful? Please let us know if you require more information. Otherwise, please mark the answer as correct for posterity. If you've discovered a solution yourself, we would appreciate it if you could share it with the community. Thank you!

Kautuk Sahni

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded