rbeckman-nextgen / test-mc

test-migration
1 stars 0 forks source link

Add ability to set custom Diffie-Hellman parameters for SSL/TLS connections #3660

Open rbeckman-nextgen opened 4 years ago

rbeckman-nextgen commented 4 years ago

This came about due to the recent Logjam vulnerability: [https://weakdh.org/]

The main Logjam vulnerability is from export ciphers, which haven't been in our include list since 3.1.1. Even if MC isn't yet on 3.1.1, the export ciphers wouldn't be used unless the instance is still using Java 6, because those ciphers were disabled by default in Java 7.

There's also a secondary use-case, where a 1024-bit prime number communally used in the DH exchange could theoretically be broken by "nation-state resources", like the NSA. Not nearly as egregious, since the connection has to first be using one of those fixed groups, and then a group like NSA with a huge amount of resources has to have broken/discovered the private prime number used by the exchange, and then they have to care enough to spy on you.

If this secondary use-case still concerns you, you can eliminate it by removing the following cipher suites from "https.ciphersuites" in mirth.properties:

{code}TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 TLS_DHE_DSS_WITH_AES_256_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 TLS_DHE_DSS_WITH_AES_128_CBC_SHA SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA{code}

NOTE: It's possible that disabling the above cipher suites could cause TLS connections in your channels to stop working, if the server you're connecting to requires one of them for whatever reason.

The ideal solution would be to allow Mirth Connect to support unique, 2048-bit DH parameters, and use them in all places TLS is used.

Imported Issue. Original Details: Reporter: narupley Created: 2015-06-12T14:00:25.000-0700

rbeckman-nextgen commented 4 years ago

Just FYI in case it comes up in any canned scanner reports that MC is only offering 768 bit DH params, it's probably running under Java 7. Switching to Java 8 increases that to 1024 bit.

Imported Comment. Original Details: Author: steven_kehlet Created: 2015-09-02T15:24:48.000-0700

rbeckman-nextgen commented 4 years ago

The default ephemeral DH key size since version 3.5 is now 2048: MIRTH-4116

Imported Comment. Original Details: Author: narupley Created: 2018-09-05T10:49:19.000-0700