Mantis - Resin
Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
6051 major always 04-25-17 05:20 04-25-17 13:42
Reporter: VasumathiN Platform:  
Assigned To: ferg OS:  
Priority: normal OS Version:  
Status: closed Product Version: 4.0.49  
Product Build: Resolution: fixed  
Projection: none      
ETA: none Fixed in Version: 4.0.52  
Summary: 0006051: Diffie-Hellman group vulnerability
Description: We are using Resin 4.0.49. How to resolve the below given vulnerability in resin server
1)Diffie-Hellman group smaller than 2048 bits
2)Diffie-Hellman group smaller than 1024 bits
Steps To Reproduce:
Additional Information:
Relationships
Attached Files:

Notes
(0006749)
stbu   
04-25-17 12:10   
I'm not a Caucho employee, but a 14+ Years Resin user. I would recommend you these three system-properties in your resin.xml within the <cluster>:

  <cluster id="app">
...
    <!-- Java 8 JSSE Settings -->
    <system-property jdk.tls.ephemeralDHKeySize="2048"/>
    <system-property jdk.tls.rejectClientInitiatedRenegotiation="true"/>
    <system-property sun.security.ssl.allowUnsafeRenegotiation="false"/>
    <system-property sun.security.ssl.allowLegacyHelloMessages="false"/>


All of these four system properties are related to increase your JSSE SSL/TLS Setup.
I'll also reply on the bug 0006052 - you might want to test your setup afterwards with https://www.ssllabs.com/ssltest/analyze.html [^]
Our Setup, using Java 8 and JSSE, receives a grade A.
(0006751)
stbu   
04-25-17 12:16   
BTW: You might need to apply the "Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files"

Obtainable from:
http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html [^]
(0006752)
ferg   
04-25-17 13:42   
Updated default properties at runtime.