Imperva Cyber Community

communities_1.jpg
 View Only
Expand all | Collapse all

SSL Certificate

  • 1.  SSL Certificate

    Posted 07-07-2020 07:32
    Dear Team,

    While working with support team on some cases related to TRP, we came to know that gateway does not support SHA384 signature algorithm. Imperva Gateway only supports SHA256 and SHA .

    The workaround is to get new signed certificate for the web server which is signed using SHA256.

    Whereas if we check supported ciphers, we can see the following ciphers are supported by Imperva.

    TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    TLS_RSA_WITH_AES_256_GCM_SHA384

    Please help to understand the difference here.

    Also, i want to understand the requirements that i can share with the customer so the customer can purchase and provide us the
    appropriate SSL certificate.

    #On-PremisesWAF(formerlySecuresphere)

    ------------------------------
    Pankaj Chouhan
    Inspira Enterprise India Pvt. Ltd.
    Mumbai
    ------------------------------


  • 2.  RE: SSL Certificate

    Posted 07-07-2020 08:39
    Edited by Christopher Detzel 07-07-2020 08:39
    @Pankaj Chouhan

    Thank you for your question. ​SHA384 in TLS_RSA_WITH_AES_256_GCM_SHA384 stands for the 'message authentication algorithm' (i.e. for each message sent between the parties) Each certificate is signed and then hashed by 'signature hash algorithm'. 

    We do support SHA384 for 'message authentication algorithm'.
    We do not support SHA384 signature hash algorithm'.

    W
    e are going to support SHA384 for both cases in ABR mode (next generation of TRP)

    This was also presented as part of the Webinar we hosted (Webinar: WAF Gateway (formerly SecureSphere WAF) – What's New and What's on the Roadmap 2020). Advanced Bridge is planned for Nov this year and Beta is available now, if you want to participate. Just let us know. 


    ------------------------------
    Christopher Detzel
    Community Manager
    Imperva
    ------------------------------



  • 3.  RE: SSL Certificate

    Posted 07-08-2020 01:18
    Hi Christopher,

    Thanks for the valuable information.

    Can we ask the customer to provide us the SSL certificate that is signed using SHA256 or SHA only?
    Will it be a right way to ask?


    ------------------------------
    Pankaj Chouhan
    Inspira Enterprise India Pvt. Ltd.
    Mumbai
    ------------------------------



  • 4.  RE: SSL Certificate

    Posted 07-08-2020 08:34
    @Pankaj Chouhan, I spoke to one of our engineers, and he said: The customer should load to the MX an SSL key pair. The signature of the certificate that belongs to the key pair must be hashed by SHA256 or SHA only.  ​

    ------------------------------
    Christopher Detzel
    Community Manager
    Imperva
    ------------------------------



  • 5.  RE: SSL Certificate

    Posted 07-09-2020 07:41
    Hi Christopher,

    Thanks for the valuable info.

    ------------------------------
    Pankaj Chouhan
    Inspira Enterprise India Pvt. Ltd.
    Mumbai
    ------------------------------



  • 6.  RE: SSL Certificate

    Posted 07-09-2020 10:31
    Pankaj,

    Make sure that you check prior to loading into your SecureSphere TRP that all parts of the certificate chain are SHA256... i.e. that the intermediates are also SHA256. These should all be fully chained together minus the root, in the correct order, then uploaded to the SS appliance with the associated private key. You can manually check what is applied to the server when TRP is off. If it is public facing, you can also use tools such as the Qualys scanner to check the details of the SSL certificate and that it conforms to industry best practices.

    I would recommend that once you apply it to TRP that you also run a rescan with one of the SSL checker tools and ensure that it is applied correctly to SS. You should also see the alerts go down if it is applied with a fully supported chain.

    As Chris mentioned the upcoming versions of SS will fix this issue.

    ------------------------------
    Jason Park
    County of Los Angeles
    CA
    ------------------------------



  • 7.  RE: SSL Certificate

    Posted 07-10-2020 02:45
    Hi Jason,

    Thanks for the valuable info.
    I have seen with an application running in TRP, the certificate chain we have deployed is a combination of SHA256 and SHA384
    Still, the application is running fine while TRP is enabled.
    But, when i checked on online tool sslshopper.com it is showing the broken certificate chain there.
    Is it beacuse the certificate is having a combination of SHA256 and SHA384?

    Please help to understand this...

    ------------------------------
    Pankaj Chouhan
    Inspira Enterprise India Pvt. Ltd.
    Mumbai
    ------------------------------



  • 8.  RE: SSL Certificate

    Posted 07-10-2020 10:34
    Yes, That is correct.

    Depending on your CA, you may have to request specially provisioned certificates that have a full chain in SHA256 (including the intermediates). Our CA has been able to enable this option for us until the new version of SecureSphere can support the SHA384 chains in TRP.

    ------------------------------
    Jason Park
    County of Los Angeles
    CA
    ------------------------------



  • 9.  RE: SSL Certificate

    Posted 07-13-2020 02:17
    Hi Jason,

    Thanks for the info.

    ------------------------------
    Pankaj Chouhan
    Inspira Enterprise India Pvt. Ltd.
    Mumbai
    ------------------------------



  • 10.  RE: SSL Certificate

    Posted 12-09-2020 09:23
    Hi Chris DHE_RSA_WITH_AES_256_GCM_SHA384 is suported en TRP en version13.5?

    ------------------------------
    Edwin Bompart
    IQSEC
    CDMX
    ------------------------------



  • 11.  RE: SSL Certificate

    Posted 12-09-2020 09:32
    Hi  Edwin

    One way to check all the cipher suites that are supported it's to check them in the MX.  You can go to:  Setup -> Global objects -> SSL Settings.

    image.png


    Best regards



    --
    Freddy Brito
    freddy.brito@daitek.com.ar

    Avda Corrientes 3360 Piso 12

    C1193AAS - CABA - Argentina

    t + 54 11 5275 9710 | c +54 11 9 2653 9420 

    info@daitek.com.ar | www.daitek.com.ar






  • 12.  RE: SSL Certificate

    Posted 12-09-2020 09:38
      |   view attached
    Also... I'm  sharing part of the guide for web security.


    Regards 

    --
    Freddy Brito
    freddy.brito@daitek.com.ar

    Avda Corrientes 3360 Piso 12

    C1193AAS - CABA - Argentina

    t + 54 11 5275 9710 | c +54 11 9 2653 9420 

    info@daitek.com.ar | www.daitek.com.ar




    Attachment(s)

    pdf
    Web Security.pdf   645 KB 1 version


  • 13.  RE: SSL Certificate

    Posted 12-09-2020 10:04
    Edited by Edwin Bompart 12-09-2020 10:06
    in alerts i see the follow






    ------------------------------
    Bompart
    CDMX
    ------------------------------



  • 14.  RE: SSL Certificate

    Posted 12-09-2020 16:26
      |   view attached
    Bombart


    I'm sharing with you a document from de KB


    Best regards



    --
    Freddy Brito
    freddy.brito@daitek.com.ar

    Avda Corrientes 3360 Piso 12

    C1193AAS - CABA - Argentina

    t + 54 11 5275 9710 | c +54 11 9 2653 9420 

    info@daitek.com.ar | www.daitek.com.ar






  • 15.  RE: SSL Certificate

    Posted 07-13-2020 12:05
    Hi

    Problably you already know it but I consider helpful to share this picture:


    Regards


    ------------------------------
    Freddy Brito
    Daitek S.A.
    CABA AGU
    ------------------------------