how to fix tls ssl vulnerabilities in windows server?

Question

Currently on our windows server (Windows Server 2016), we have following cipher suites installed:-

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256

Still the following security vulnerabilities are reported for our server as

TLS/SSL Birthday attacks on 64-bit block ciphers (SWEET32)
TLS/SSL Server Supports 3DES Cipher Suite <-- However there are no 3DES ciphers as listed above
TLS/SSL Server Supports The Use of Static Key Ciphers

I am using tomcat 9.0.62. How can I fix these security vulnerabilities.

Also posted (without warning) as https://stackoverflow.com/questions/72930666/how-to-fix-tls-ssl-vulnerabilities-in-windows-server — dave_thompson_085, Jul 11 '22 at 06:48

score 0 · Answer 1 · answered Jul 10 '22 at 21:56

For most web services I usually simply direct people to Mozilla’s config generator at https://ssl-config.mozilla.org/#server=tomcat&version=9.0.30&config=intermediate&guideline=5.6

Under the hood what you want to achieve is to make your web server present clients only with the best cipher suites of the ones necessary to fulfill your business needs. This changes over time, of course, so it’s good to have your config tested now and again.

how to fix tls ssl vulnerabilities in windows server?

1 Answers1