Low: SHA-1 cipher suites were detected

[manojtyagi2021]

Stratos Version

4.4.0

Frontend Deployment type

• [ ] Cloud Foundry Application (cf push)
• [x] Kubernetes, using a helm chart
• [ ] Docker, single container deploying all components
• [ ] npm run start
• [ ] Other (please specify below)

Backend (Jet Stream) Deployment type

• [ ] Cloud Foundry Application (cf push)
• [x] Kubernetes, using a helm chart
• [ ] Docker, single container deploying all components
• [ ] Other (please specify below)

Expected behaviour

AppScan DAST scan should not flag SHA-1 cipher suites were detected

Actual behaviour

AppScan DAST scan flags SHA-1 cipher suites were detected

Steps to reproduce the behavior

AppScan DAST scans for Stratos URL https://ui.169.53.186.50.nip.io/api/v1/auth/verify.

The test result seems to indicate a vulnerability because AppScan determined that the site uses weak cipher suites by successfully creating SSL connections using each of the weak cipher suites listed here.

The following weak cipher suites are supported by the server: Id Name SSL Version 47 TLS_RSA_WITH_AES_128_CBC_SHA TLS 1.2 53 TLS_RSA_WITH_AES_256_CBC_SHA TLS 1.2 65 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA TLS 1.2 132 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA TLS 1.2 49171 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS 1.2 49172 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS 1.2

Log output covering before error and any error statements

Insert log hereCopy

Detailed Description

Context

Possible Implementation

Change server's supported ciphersuites

[richard-cox]

@manojtyagi2021 What site??

Please be careful when creating issues using automated tools to first read what it produces and then apply some context.

[richard-cox]

No response, closing.