Obsolete Ciphers And TLS signature - Secure AEM against various SSL / TLS vulnerabilities | Community
Skip to main content
M
marcog69313552
New Participant
December 4, 2024

Obsolete Ciphers And TLS signature - Secure AEM against various SSL / TLS vulnerabilities

  • December 4, 2024
  • 2 replies
  • 1221 views

Hello,
Our security team has runned an assessment with testssl tool [0] on our website provided with AEM (v6.5.16) and reported that:
- disable the deprecated RSA+SHA1 signature algorithm
- modify the application's TLS/SSL configuration by disabling the use of obsolete ciphers. In particular, it is necessary to disable the following ciphersuites: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

 

I had try to apply the steps described here [1] but seem they not to be have effect on testssl.sh report. So,
1- the guide [1] and steps are correct?
2- there are any other documentation that i can use to solve my problem?
3- i don't see any indication about how to "disable the deprecated RSA+SHA1 signature algorithm", could you help me with that?

 

Thanks

marco

 

[0] https://github.com/drwetter/testssl.sh?tab=readme-ov-file
[1] https://helpx.adobe.com/uk/experience-manager/kb/secure-AEM-against-newer-SSL-TLS-attacks-AEM.html

 

    This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.

    2 replies

    kautuk_sahni
    kautuk_sahni
    Employee
    January 7, 2025

    @marcog69313552 Did you find the suggestion helpful? Please let us know if you require more information. Otherwise, please mark the answer as correct for posterity. If you've discovered a solution yourself, we would appreciate it if you could share it with the community. Thank you!

    Kautuk Sahni
    Tethich
    Tethich
    New Participant
    December 4, 2024

    Hi @marcog69313552 

    Those 4 properties org.apache.felix.https.jetty.ciphersuites.* that Adobe's documentation is mentioning, should be in Apache Felix Jetty Based Http Serviceorg.apache.felix.http

    I am only mentioning this because Adobe's doc was not very intuitive about it, for me at least.

    Can you confirm is here where you actually made the changes ? Via system console ?

     

      M
      marcog69313552Author
      New Participant
      December 5, 2024

      Hi @Tethich

       

      I am only mentioning this because Adobe's doc was not very intuitive about it, for me at least.

      Can you confirm is here where you actually made the changes ? Via system console ?

      actually i had try to modify the configurations through crx/de like mentioned here [1] (step 3, 4, 5).

      Now I made the changes via system-console.

       

      Unfortunately the testssl report still has the cipher suites excluded through configurations and also RSA+SHA1 signature algorithm.

       

       

      [1] https://helpx.adobe.com/uk/experience-manager/kb/secure-AEM-against-newer-SSL-TLS-attacks-AEM.html

       

      gkalyan
      gkalyan
      New Participant
      December 6, 2024

      @marcog69313552 

      Did you get a chance to restart & verify if your configurations took effect as per [1]

      in these 2 configs before retesting with testing tool?

      https://aem-host:port/system/console/jmx/java.lang%3Atype%3DRuntime

      https://aem-host:port/system/console/configMgr/org.apache.felix.http.config

       

       

      Regarding "RSA+SHA1 signature algorithm", Once you successfully remove the mentioned cipher suites, this should be gone too.

        Terms & ConditionsAccessibility statement

        Loading footer...