1

We need to alter the order that the SSL encryption is using by API Management for using a cypher without diffie hellman.

We already try to use the property SSLHonorCipherOrder but doesn't work.

We need to put the weakness encryption first for BSM can monitoring the packages for monitoring the requests.

follow the information about the enviroment.

tomcat - tomca-juli-7.0.73.jar

WSO2 API Manager v2.1.0

WSO2 Carbon Framework v4.4.1

Leonardo Souza da Motta
  • 26
  • 2
  • If you want to monitor traffic from/to APIM, I believe that is not the correct approach.. SSL is intended to be encrypted and it better stays that way. Do you really must decrypt SSL? (IMHO anyone taking security seriously would opose) If you want to read the message payloads (e.g. for WAF) you may still create a trusted proxy or log the message payload from the API mediations. – gusto2 Jan 24 '19 at 14:48
  • Yes, the app that monitoring doens't working with high crypt We need something without diffie hellman, I already told him for using a trusted proxy like apache above the layer APIM but they don't want. – Leonardo Souza da Motta Jan 24 '19 at 17:06
  • There is TLS-PSK protocol to use SSL with a preshared key, but I am not sure if you can enforce the Axis2 framework to use it. In theory you may configure weak ciphers only, but as far I remember current runtimes will resist. Regardless that if someone from operations intends to compromise the traffic security, it is time to express the concerns. I suggest you do the things properly (even using http in defined perimeter is more feasible than using weak ciphers). imho monitoring should not be able to read the plain traffic – gusto2 Jan 24 '19 at 17:20

0 Answers0