How to fix "TLS Version 1.0 Protocol Detection and TLS Version 1.1 Protocol Deprecated" Nessus Scan Vulnerability

Question

We are running our Java Application on RHEL 8.5 OS platform. In our Apache's ssl.conf file, we have enabled only TLSv1.2 protocol. And we are not using TLSv1 and TLSv1.1 protocols in our application.

From the below details, it is confirmed that the above protocols are disabled from an OS perspective also.

update-crypto-policies --show
DEFAULT

From RHEL, it is confirmed that "The TLS versions TLS 1.0 and TLS 1.1 protocols are disabled in the DEFAULT system-wide cryptographic policy level. "

And from the below command results, it is confirmed that TLS 1.0 and TLS 1.1 is disabled from the Application Side.

[root@test ~]# openssl s_client -connect <IP_ADDRESS>:8443 -tls1
CONNECTED(00000003)
139679030896448:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:ssl/record/rec_layer_s3.c:1544:SSL alert number 70
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 104 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1662128840
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
-----------------------------------------

[root@test ~]# nmap -sV --script ssl-enum-ciphers -p 8443 <IP_ADDRESS>
Starting Nmap 7.70 ( https://nmap.org ) at 2022-09-20 20:02 IST
mass_dns: warning: Unable to open /etc/resolv.conf. Try using --system-dns or specify valid servers with --dns-servers
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for XXXXX (IP_ADDRESS)
Host is up (0.00067s latency).

PORT     STATE SERVICE  VERSION
8443/tcp open  ssl/http Apache httpd
|_http-server-header: Apache
| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|     compressors:
|       NULL
|     cipher preference: client
|_  least strength: A
MAC Address: 00:50:56:A7:92:7B (VMware)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.90 seconds

-----------------------------------------

Please find the configurations on "ssl.conf",

SSLProtocol -ALL +TLSv1.2
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:AES256-CCM:DHE-RSA-AES256-CCM

But we are in confusion that why the Nessus scan vulnerability shows the TLS 1.0 and TLS 1.1 protocols even though those 2 protocols are disabled in all possibilities.

Vulnerability Details are listed below,

1. 104743 TLS Version 1.0 Protocol Detection
2. 157288 TLS Version 1.1 Protocol Deprecated

From Nessus team, we came to know that port 4567 is using the below ciphers,

TLS1_DHE_DSS_WITH_AES_128_CBC_SHA256
TLS1_DHE_DSS_WITH_AES_256_CBC_SHA256
TLS1_CK_DHE_DSS_WITH_AES_128_CBC_SHA
TLS1_CK_DHE_DSS_WITH_AES_256_CBC_SHA
TLS1_CK_DHE_DSS_WITH_3DES_EDE_CBC_SHA

In our application, we are using port 4567 as TRUSTSTORE_PORT where it is downloading the required certificates for the application to run.

But we enabled only the TLSv1.2 protocol. How the TLS1 ciphers are enabled?

Please let me know how to overcome these vulnerabilities.

Thanks in Advance.

Answer 1

Nessus is only scanner. This situation tells you. default tools and system services are secured, but it is not tomcat run inside JVM. You have two ways for resolve this one:

1. Disable old crypto protocols globally in JVM or Tomcat. Usually it is in JVM. You can do int in mail JVM config for all java process, or by specyfing variable for JVM run. It is described here: Disabling TLSv1.0 in java8
2. Better way, is configuring apache as a proxy to tomcat, and completly disable tomcat for allowing TCP connection. You can do it by loopback netwok.