RC4 cipher from wM

Rajiv_G · October 12, 2015, 12:18pm

Hi Team,

I have tested my webMethods version 9.7 production server and found following vulnerable results.

Can someone please tell me how to DISABLE this parameter in WM # RC4 Yes WEAK (more info) ??

Protocol details
POODLE (SSLv3) Vulnerable INSECURE (more info) SSL 3: 0xa
POODLE (TLS) No (more info)
Downgrade attack prevention No, TLS_FALLBACK_SCSV not supported (more info)
SSL/TLS compression No
RC4 Yes WEAK (more info) → How to DISABLE this parameter ???
Heartbeat (extension) No

Cipher Suites (sorted by strength as the server has no preference; deprecated and SSL 2 suites at the end)

TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 112
TLS_RSA_WITH_RC4_128_MD5 (0x4) WEAK 128
TLS_RSA_WITH_RC4_128_SHA (0x5) WEAK 128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128

Rajiv_G · October 12, 2015, 12:38pm

WM 9.7 Components are in used in our Org

IS
MWS
Command Central
Broker

Can you please tell me how to disable RC4 parameter from above listed components ?

RC4 Yes WEAK (more info) → How to DISABLE this parameter ???

Mahesh_K_Sreenivas · October 12, 2015, 4:31pm

This must be done via an extended setting in IS.

Did you refer the IS Admin guide for the correct setting?

Mahesh_K_Sreenivas · October 12, 2015, 4:47pm

watt.net.ssl.client.strongcipheronly=
watt.net.ssl.client.cipherSuiteList= << provide the list of cipherSuite that you want IS to support(without RC4 cipher) >>

watt.net.ssl.server.cipherSuiteList=

Rajiv_G · October 13, 2015, 12:01pm

this is my WM 9.7 IS current extended setting

watt.net.jsse.client.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2
watt.net.ssl.client.cipherSuiteList=default
watt.net.ssl.client.handshake.maxVersion=tls
watt.net.ssl.client.handshake.minVersion=sslv2
watt.net.ssl.client.strongcipheronly=false
watt.net.ssl.server.handshake.maxVersion=tls
watt.net.ssl.server.handshake.minVersion=tls
watt.net.ssl.server.strongcipheronly=false

When I tested by IS it’s still show RC4 weak, what change I need to perform so that RC4 gets disabled ?

Holger_von_Thomsen · October 21, 2015, 6:14pm

Hi Rajiv,

please change the following settings:

                                                                   New Value

watt.net.ssl.client.handshake.minVersion=sslv2 tls
watt.net.ssl.client.strongcipheronly=false true
watt.net.ssl.server.strongcipheronly=false true

Restart the IS aftferwards (just to be sure).

After that test the server again.
If issue still exists, please adjust the cipherSuiteLists as suggested by Mahesh.

Regards,
Holger

Rajiv_G · November 3, 2015, 11:48am

I have make changes as suggested and perform end to end testing.
it’s look good.

Thanks for quick help

rmg · November 13, 2015, 4:34pm

If you are Min version with SSLV3,V2 then you are enabling the SSL with vulnerability issues… Please try to shift to TLS based soon the better.

HTH,
RMG

Masroor_Alam · January 17, 2017, 12:47pm

Hi All,

How to check whether ciphers are below :
TLS_RSA_WITH_AES_256_CBC_SHA or TLS_RSA_WITH_AES_256_CBC_SHA256

I am using wM 9.8…
I am facing handshake issue with our partner.They upgraded to 256 and I need to change from 128 to 256. Please guide me .

Thank you…

Holger_von_Thomsen · January 17, 2017, 12:54pm

Hi Masroor,

which wM version are you running on?

Any Fixes applied?

Can you check your extended settings for correct configuration?
See earlier post in this thread for details.

Regards,
Holger

Masroor_Alam · January 17, 2017, 12:59pm

Hi Thomsen,

I am new in wM and i need to check whether ciphers are configured correct so for that i need to know how to check ciphers ?

detals are below:

webMethods Integration Server
Version 9.8.0.0
Updates IS_9.8_SPM_Fix1
IS_9.8_Core_Fix6
Build Number 247
SSL Strong (128-bit)

Thank you…

Holger_von_Thomsen · January 17, 2017, 1:15pm

Hi Masroor,

please provide the Extended Settings as described earlier in this thread.

Additionally enable watt.net.ssl.debug and provide us the resulting error messages from the server.log after the test for further analysis.

Regards,
Holger

Masroor_Alam · January 17, 2017, 2:37pm

Hi Thomsen,

Please look below for Extended setting and I changeswatt.net.jsse.server.enabledCipherSuiteList=default to TLS_RSA_WITH_AES_256_CBC_SHA256
And now i am waiting for test done by client.

watt.core.validation.skipMandatoryFields=true
watt.net.jsse.server.enabledCipherSuiteList=TLS_RSA_WITH_AES_256_CBC_SHA256
watt.net.localhost=frdrtsueai12q.dc.ale-international.com
watt.net.ssl.client.cipherSuiteList=default
watt.net.ssl.client.handshake.maxVersion=tls
watt.net.ssl.client.handshake.minVersion=sslv2
watt.net.ssl.client.hostnameverification=false
watt.net.ssl.client.strongcipheronly=false
watt.net.ssl.server.cipherSuiteList=default
watt.net.ssl.server.clientHandshakeTimeout=20000
watt.net.ssl.server.handshake.maxVersion=tls
watt.net.ssl.server.handshake.minVersion=tls
watt.security.cert.wmChainVerifier.trustByDefault=true
watt.security.ssl.ignoreExpiredChains=false

Thank you