Connectrix, SANnav: Vulnerability Reported in SANnav Server's Port 18082 With ID ssl-weak-message-authentication-code-algorithms
Summary: This issue is seen when Connectrix SANnav is scanned for vulnerabilities and weak ciphers are detected. The schema registry uses port 18082.
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Instructions
Below is the weak cipher list detected in the scan report:
Steps to replace the weak ciphers:
DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA
Steps to replace the weak ciphers:
- Stop the SANnav services using stop-sannav.sh script (/storage/SANnav/Portal_2.3.0_bld315/stop-sannav.sh)
- Copy the nginx_ssl_conf_sr file (/storage/SANnav/Portal_2.3.0_bld315/conf/nginx/nginx_ssl_conf_sr) into outside of the SANnav home and keep as a backup.
- Remove the below indicated ciphers from the nginx_ssl_conf_sr file (/storage/SANnav/Portal_2.3.0_bld315/conf/nginx/nginx_ssl_conf_sr) and save the file.
nginx_ssl_server_ip_address; server_name spectre_ssl_sr; ssl_password_file /etc/nginx/secrets/sannav-secret; ssl_certificate sannav-cert.pem; ssl_certificate_key sannav-cert.key; ssl_prefer_server_ciphers on; ssl_protocols TLSv1.3 TLSv1.2;
ssl_ciphers 'TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:!DSS';
- ssl_dhparam dhparam.pem;
nginx_ssl_server_ip_address; server_name spectre_ssl_sr; ssl_password_file /etc/nginx/secrets/sannav-secret; ssl_certificate sannav-cert.pem; ssl_certificate_key sannav-cert.key; ssl_prefer_server_ciphers on; ssl_protocols TLSv1.3 TLSv1.2; ssl_dhparam dhparam.pem;
ssl_ciphers 'TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA::DHE-RSA-AES128-SHA256:!DSS';
- Start the SANnav services using start-sannav.sh (/storage/SANnav/Portal_2.3.0_bld315/start-sannav.sh)
- Wait for 15-20 minutes to make services up.
- Run the scanner again and check whether the issue is still observed.
- If the issue still exists, share the scanner report and SANnav full Supportsave and engage the Broadcom team for further investigation.
Additional Information
Weak ciphers from schema-registry exist in Connectrix SANnav versions 2.2.x and 2.3.x.
Affected Products
Connectrix SANnavArticle Properties
Article Number: 000218386
Article Type: How To
Last Modified: 03 Jun 2025
Version: 3
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.