TLSv1.2 weak Cipher due to Diffie-Hellman DH key size too small
Recently some customers have reported that their vulnerability scan report a problem with Weak Ciphers used in TLSv1.2 connections, specifically some of these ciphers can negotiate a Diffie-Helman, DH key size that is only 1024 bytes.
Qualys identifies this as QID 38863 - Weak SSL/TLS Key Exchange
Authentication Manager, at least since version 8.4, has Ciphers that only allow 2048 byte DH keys, including
So as long as these Ciphers are used there is no vulnerability. As part of RSA Engineering review and update plans, new Ciphers will be evaluated and implemented into updates, currently targeted for patch 1 on AM 8.7, which is tentatively scheduled for General Availability, GA on August 23rd, 2022.
Any idea when this patch will be released? It's almost a month after the target date and still no release. Almost every other supplier has released patches for their products to fix this.
Patch 4 does not fix this issue. i just updated and tested and it still fails.
Id like to know when 8.7 patch is coming so it fixes the issue.
I have a PCI audit next week and this is an issue because i cant patch it
AM 8.7 P1 will include an updated config.xml file, which will not include the weak ciphers due to DH key size too small, and retain the TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 and TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ciphers, and introduce new Ciphers.
With AM 8.6, including P4, you would have to edit the config.xml file and comment out or delete the weak Ciphers, leaving only the TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 and TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ciphers in /opt/rsa/am/server/config/config.xml
I had raised a case about this and was not told about the 8.6 patch 4 fix, so now I have to wait for patch 1.
Is there a timeline for that release?
Can we please get an update? This patch is now pending for several months....
Our security department has advised us to move away from this product, as it takes much too long before any vulnerability is fixed. Which is pretty ironic for a product with "securID" in the name. But we still need to get this fixed.