The test result seems to indicate a vulnerability because AppScan determined that the site uses weak cipher suites by successfully creating SSL connections using each of the weak cipher suites listed here.
The following weak cipher suites are supported by the server:
Id Name SSL Version
47 TLS_RSA_WITH_AES_128_CBC_SHA TLS 1.2
53 TLS_RSA_WITH_AES_256_CBC_SHA TLS 1.2
65 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA TLS 1.2
132 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA TLS 1.2
49171 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS 1.2
49172 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS 1.2
Log output covering before error and any error statements
Stratos Version
4.4.0
Frontend Deployment type
Backend (Jet Stream) Deployment type
Expected behaviour
AppScan DAST scan should not flag SHA-1 cipher suites were detected
Actual behaviour
AppScan DAST scan flags SHA-1 cipher suites were detected
Steps to reproduce the behavior
AppScan DAST scans for Stratos URL https://ui.169.53.186.50.nip.io/api/v1/auth/verify.
The test result seems to indicate a vulnerability because AppScan determined that the site uses weak cipher suites by successfully creating SSL connections using each of the weak cipher suites listed here.
The following weak cipher suites are supported by the server: Id Name SSL Version 47 TLS_RSA_WITH_AES_128_CBC_SHA TLS 1.2 53 TLS_RSA_WITH_AES_256_CBC_SHA TLS 1.2 65 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA TLS 1.2 132 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA TLS 1.2 49171 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS 1.2 49172 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS 1.2
Log output covering before error and any error statements
Detailed Description
Context
Possible Implementation
Change server's supported ciphersuites