Two risky cryptographic algorithms found

[Charles1000Chen]

Describe the bug

The zhmc prometheus expoerter should not support any risky cryptographic algorithms.

Expected behavior
The two test items shoud be "OK" in testssh.sh test result.

To Reproduce
Test with testssl.sh, it will report the two issues in its test result.

Environment information

• Output of zhmc_prometheus_exporter --version:
• HMC version:

Command output

{
    "id"           : "cipher-tls1_2_xc028",
    "severity"     : "LOW",
    "finding"      : "TLSv1.2   xc028   ECDHE-RSA-AES256-SHA384           ECDH 253   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
},{
    "id"           : "cipher-tls1_2_xc027",
    "severity"     : "LOW",
    "finding"      : "TLSv1.2   xc027   ECDHE-RSA-AES128-SHA256           ECDH 253   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
}

Log file
<-- If possible, attach a log file generated with '--log-comp all=debug --log exporter.log'. -->

[andy-maier]

Mu Chen, I assume this is on the Prometheus port of the exporter.

Can you please send me via Slack the credential files you used in the prometheus section of the exporter's credentials file?

[andy-maier]

For info, this may be how to set ciphers: https://stackoverflow.com/a/34799338/1424462

[andy-maier]

The two ciphers are CBC ciphers that are reported by testssl.sh:

LUCKY13 (CVE-2013-0169), experimental     potentially VULNERABLE, uses cipher block chaining (CBC) ciphers with TLS. Check patches

This was on macOS with:

• Python 3.12.3
• OpenSSL 3.3.0
• testssl.sh 3.0.8

[andy-maier]

Solved with PR #551 .