Rundeck SSL - weak cipher vulnerability - 3.4.9

[Mark P]

Hi All,

I am hoping this is a quick question for any Rundeck Gurus out there.

We use Qualys to confirm vulnerabilities each month and we have had the attached vulnerability raised this time round for Weak SSL/TLS Key Exchange. It has found the following and raised the issue.

PROTOCOL NAME GROUP KEY-SIZE FORWARD-SECRET CLASSICAL-STRENGTH QUANTUM-STRENGTH 

TLSv1.2 DHE 1024 yes 80 low

I am trying to disable all of the DHE ciphers but it seems you can only set the ciphers you want to enable - not disable. As a quick test, when I set it to be a single cipher the vulnerability disappeared.

Is it not possible to disable ciphers - only enable? It means I will have to pass in the full list of ciphers minus the ones I don't want. Would upgrading to the latest version of Rundeck help at all?

Thanks for any help,

Mark 

[rac...@rundeck.com]

Hi Mark,

That's right, you can do it following this. Regarding your research, which Rundeck version are you using? Could you confirm that on the latest version? If so, please open a new issue here.

Regards!

[rac...@rundeck.com]

Oh, 3.4.9, I didn't see the message title. So, could you test against the latest version?

[Mark P]

Apologies, I didn't get an email to say you had responded. Thanks very much. 

I did try getting it to work just to prove I could but failed. I will update it to the latest version and hopefully that will resolve it.

Thanks for getting back to me.

Mark 

[Mark P]

Morning,

I have now upgraded rundeck to the latest version - 4.3.1 - but I continue to see this vulnerability being reported by Qualys. I have raised a security vulnerability case with Rundeck in the hope they know what to do to resolve this issue.

Mark