VMware Workspace ONE Community
DenisdeWit
Enthusiast
Enthusiast
Jump to solution

SEGv2 SSL Labs Capped to B

A customer of us has tested the SEGv2 with SSL Labs. Now the SEG is capped to a B grade. In the past with the classic SEG, I could run IISCrypto and everything was fine again. But since SEGv2 is running on Java, this tool doesn't work anymore. SEGv2 is running on Windows.

According to SSL labs, the main issues are:

- TLS 1.1 is enabled

- This server does not support Forward Secrecy with the reference browsers.

Does somebody have any idea how to fix this?

I know there should be a keystore file with cipher suites, but I don't know which file I should manipulate

Labels (1)
Reply
0 Kudos
1 Solution

Accepted Solutions
DenisdeWit
Enthusiast
Enthusiast
Jump to solution

Found the answer. For a A+ Rating you can perform the following steps:

I have been able to get forward secrecy to work in our Java server by changing this in the java.security file:

1) Uncomment (remove #) in front of crypto.policy=unlimited

2) set jdk.tls.disabledAlgorithms to

  1. jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, MD5, DESede, DH keySize < 1024, RSA keySize < 2048, RSA_WITH_AES_128_CBC_SHA, DHE_RSA_WITH_AES_128_CBC_SHA, RSA_WITH_AES_256_CBC_SHA, DHE_RSA_WITH_AES_256_CBC_SHA, RSA_WITH_AES_128_CBC_SHA256, RSA_WITH_AES_256_CBC_SHA256, DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384

Obviously, the entries above are the algorithms to disable and must include all of the ones to disable because the crypto.policy is no longer limited."

View solution in original post

Reply
0 Kudos
1 Reply
DenisdeWit
Enthusiast
Enthusiast
Jump to solution

Found the answer. For a A+ Rating you can perform the following steps:

I have been able to get forward secrecy to work in our Java server by changing this in the java.security file:

1) Uncomment (remove #) in front of crypto.policy=unlimited

2) set jdk.tls.disabledAlgorithms to

  1. jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, MD5, DESede, DH keySize < 1024, RSA keySize < 2048, RSA_WITH_AES_128_CBC_SHA, DHE_RSA_WITH_AES_128_CBC_SHA, RSA_WITH_AES_256_CBC_SHA, DHE_RSA_WITH_AES_256_CBC_SHA, RSA_WITH_AES_128_CBC_SHA256, RSA_WITH_AES_256_CBC_SHA256, DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384

Obviously, the entries above are the algorithms to disable and must include all of the ones to disable because the crypto.policy is no longer limited."

Reply
0 Kudos