Disabling weak ciphers in Restlet

I've been working on making my server PCI (Payment Card Industry) compliant.

When my site is scanned one of the vulnerabilities reported is that my site allows the use of weak SSL ciphers.  

I've been looking through the documentation for jsslutils and SSLContextFactory; but I don't understand how I'm suppose to disable the 40 and 56 bit ciphers.

For reference I'm running on Ubuntu 8.04 TLS, openjdk-1.6, and restlet 1.1.5, and my sslContextFactory is com.noelios.retlet.util.DefaultSslContextFactory

Here is the list of weak SSL ciphers supported by the remote server :

Low Strength Ciphers (< 56-bit key)

SSLv3
EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export

TLSv1
EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export

------------------------------------------------------
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2408421

Hi,

You should be able to select the cipher suites you want explicitly
(otherwise, the default ones will be used) by setting the
"enabledCipherSuites" and/or "disabledCipherSuites" attributes on your
instance of Server.
These attributes should contain a array of Strings (for example
"TLS_RSA_WITH_AES_128_CBC_SHA").


Best wishes,

Bruno.


Timothy Aanerud wrote:
------------------------------------------------------
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2408516

Thanks!
Three comments:
1. I ended up using
parameters.add("enabledCipherSuites", aStringOfCiphers)

At this level the ciphers are in a single string separated by a space.  They eventually end up as array

2. I wasn't able to use "disabledCipherSuites" because deep down in HttpsServerHelper.start() it takes the list of enabled ciphers converts it from String[] to List<String> then starts removing the the disabled ones. After removing items the List<String> is converted back to a String[].  

But this conversion didn't work correctly:

enabledCipherSuites = enabledCipherSuitesList
    .toArray(enabledCipherSuites);

enabledCipherSuites started with 18 elements, I removed the last for, and when inspected the final result, the String array still had 18 elements, but the 14th one was null.   The call to serverSocket.setEnabledCipherSuites(enabledCipherSuites); fails due to a null.

3. The names of Ciphers reported by OpenSSL are not the same as the ones reported by HttpsUtils.getEnabledCipherSuites();  In my case I'm use the SimpleHTTP server.  By some trial and error testing I was able to identify the weak ciphers.

But other that; disabling the weak ciphers was easy.  Just one variable declaration and one line of code. :-)
--
Timothy

------------------------------------------------------
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2408588

Hi Timothy,

Thanks for reporting back your experience. In order to track the remaining
issues with "disableCipherSuites", I've just entered a report:

"Unable to use "disabledCipherSuites" with HTTPS"
http://restlet.tigris.org/issues/show_bug.cgi?id=930

Please feel free to add comment or contribute a fix if possible.

Best regards,
Jerome Louvel
--
Restlet ~ Founder and Lead developer ~ http://www.restlet.org
Noelios Technologies ~ Co-founder ~ http://www.noelios.com



-----Message d'origine-----
De : Timothy Aanerud [mailto:[hidden email]]
Envoyé : dimanche 18 octobre 2009 00:54
À : [hidden email]
Objet : RE: Re: Disabling weak ciphers in Restlet

Thanks!
Three comments:
1. I ended up using
parameters.add("enabledCipherSuites", aStringOfCiphers)

At this level the ciphers are in a single string separated by a space.  They
eventually end up as array

2. I wasn't able to use "disabledCipherSuites" because deep down in
HttpsServerHelper.start() it takes the list of enabled ciphers converts it
from String[] to List<String> then starts removing the the disabled ones.
After removing items the List<String> is converted back to a String[].  

But this conversion didn't work correctly:

enabledCipherSuites = enabledCipherSuitesList
    .toArray(enabledCipherSuites);

enabledCipherSuites started with 18 elements, I removed the last for, and
when inspected the final result, the String array still had 18 elements, but
the 14th one was null.   The call to
serverSocket.setEnabledCipherSuites(enabledCipherSuites); fails due to a
null.

3. The names of Ciphers reported by OpenSSL are not the same as the ones
reported by HttpsUtils.getEnabledCipherSuites();  In my case I'm use the
SimpleHTTP server.  By some trial and error testing I was able to identify
the weak ciphers.

But other that; disabling the weak ciphers was easy.  Just one variable
declaration and one line of code. :-)
--
Timothy

------------------------------------------------------
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=24085
88

------------------------------------------------------
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2413657