Project

General

Profile

Actions

Feature #28611

closed

Security weakness : Forward Secrecy

Added by L'Orphelin Cyril almost 7 years ago. Updated almost 7 years ago.

Status:
Resolved
Priority:
Normal
Assigned To:
Category:
Service
Target version:
-
Start date:
02/22/2018
Due date:
% Done:

0%

Estimated time:

Description

Lavoisier server does not support Forward Secrecy with the reference browsers .

Forward secrecy (FS) also known as perfect forward secrecy (PFS), is a property of secure communication protocols in which compromises of long-term keys does not compromise past session keys. Forward secrecy protects past sessions against future compromises of private key. The very popular RSA key exchange doesn’t provide forward secrecy. You need to support and prefer ECDHE suites in order to enable forward secrecy with modern web browsers.

Actions #1

Updated by L'Orphelin Cyril almost 7 years ago

  • Status changed from New to In progress
Actions #2

Updated by Schwarz Lionel almost 7 years ago

  • Category set to Service
  • Assigned To set to Schwarz Lionel

Ajout du support des ciphers suite activés par la property 'lavoisier.ssl.ciphers' dans lavoisier-service.properties:

lavoisier.ssl.ciphers=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_SHA256,TLS_ECDHE_RSA_WITH_AES_128_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_SHA,TLS_ECDHE_RSA_WITH_AES_256_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_SHA384,TLS_ECDHE_RSA_WITH_AES_256_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_SHA,TLS_DHE_RSA_WITH_AES_128_SHA256,TLS_DHE_RSA_WITH_AES_128_SHA,TLS_DHE_DSS_WITH_AES_128_SHA256,TLS_DHE_RSA_WITH_AES_256_SHA256,TLS_DHE_DSS_WITH_AES_256_SHA,TLS_DHE_RSA_WITH_AES_256_SHA

Par défaut, c'est la config du moteur SSL de Java qui est prise en compte.

cf https://weakdh.org/sysadmin.html rubrique Tomcat

Actions #3

Updated by Schwarz Lionel almost 7 years ago

  • Tracker changed from Bug to Feature
  • Status changed from In progress to Resolved
Actions

Also available in: Atom PDF