Pricing  Get Quote
 
 

Help

Application Security and Its Importance

In today's digital business landscape, web applications have become inviting targets for attackers. According to the Verizon's 2018 Data Breach Investigations Report, 25 percent of data breaches targeted web applications. Every day, new hacks and attacks are deployed to exploit the security vulnerabilities in web applications. With new vulnerabilities being exposed at a rate most organizations can't keep up with, it isn't surprising that application security has emerged as one of the leading factors impacting a company's brand perception.

That's why the ADSelfService Plus' team focuses on patching identified vulnerabilities and security loopholes when they are detected in the product. The list below describes common application security issues that were found in ADSelfService Plus, from newest to oldest, and how each issue is addressed. Remember that if you configure any XML files to fix an issue, make sure to restart ADSelfService Plus so the changes can take effect.

Issues and fixes:

Select
  • Log4j dependency (CVE-2021-44228)
  • Domain user exposure (CVE-2021-20147)
  • Domain password policy exposure (CVE-2021-20148)
  • Authentication bypass (CVE-2021-40539)
  • E-mail MIME injection (CVE-2021-37420)
  • Boolean SQL injection (CVE-2021-37422)
  • Account takeover via machine account creation (CVE-2021-37424)
  • Server-side request forgery (SSRF) attack in the high availability environment (CVE-2021-37419)
  • Account takeover issue (CVE-2021-37927)
  • Remote code authentication using PowerShell injection (CVE-2021-33055)
  • CAPTCHA bypass vulnerability (CVE-2021-37417)
  • Cross-Site-Scripting attack (CVE-2021-27956)
  • Reflected Cross-Site-Scripting attack (CVE-2021-37416)
  • Database application information exposure (CVE-2021-31874)
  • Admin portal access restriction bypass via X-Forwarded-For header (CVE-2021-37421)
  • Unauthenticated remote code execution during password change function (CVE-2021-28958)
  • Fixed ciphering keys (CVE-2019-7161)
  • Improper authorization (ZVE-2020-4164)
  • Unauthenticated remote code execution (CVE-2020-11552)
  • ManageEngine product integrations bypassing authentication
  • Remote code execution vulnerability
  • Predictable handshake key vulnerability
  • Authentication bypass in ADSelfService Plus
  • XSS vulnerability due to mobile app API
  • SSRF vulnerability
  • Injection vulnerability in Windows and Linux login agents
  • XML external entity vulnerability
  • HttpOnly flag missing from cookies
  • Exploiting the unused HTTP methods
  • Vulnerabilities in the older versions of jQuery
  • Unrestricted file upload vulnerability
  • Server-side request forgery vulnerability
  • Reflected XSS vulnerability
  • Bypassing client-side validations
  • Information leakage through comments
  • Fingerprinting the web server
  • Simultaneous session logins
  • Cross-site scripting (XSS) vulnerabilities
  • Cross-site request forgery (CSRF) vulnerability
  • Cross-frame scripting (XSF)/Clickjacking
  • Weak cache policy or server cache policy
  • MIME-SNIFFING
  • Insecure wildcard cross-origin resource sharing (CORS)
  • Browser auto-complete issue
  • Missing HTTPOnly flag and secure flag in the session cookies
  • SHA1WithRSA vulnerabilities
  • Session fixation
  • SQL Injection through framework build
  • Weak SSL cipher

Log4j dependency (CVE-2021-44228)

Severity: Critical

A vulnerability in the Apache Log4j library allows unauthorized remote code execution attacks.

Fix: Dependency on the Log4j library has been removed completely.

ADSelfService Plus fixed this vulnerability in build 6119.

Note: The Log4j library is required if you have enabled RSA SecurID as an authenticator for ADSelfService Plus' MFA feature. For more details refer to this post.

Domain user exposure (CVE-2021-20147)

Severity: Medium

This vulnerability in the ChangePasswordAPI process allows an unauthenticated remote attacker to determine whether a Windows domain user exists.

Fix: Dependency on the Log4j library has been removed completely.

ADSelfService Plus fixed this vulnerability in build 6116.

Domain password policy exposure (CVE-2021-20148)

Severity: Medium

When ADSelfService Plus is configured with multiple Windows domains, a user from one domain can obtain the password policy for another domain by authenticating to the service, and then sending a request specifying the password policy file of the other domain.

Fix: Access to the domain password policy HTML has now been restricted for all users.

ADSelfService Plus fixed this vulnerability in build 6116.

Authentication bypass (CVE-2021-40539)

Severity: High

This vulnerability could lead to an authentication bypass affecting REST API URLs. This bypass could lead to a takeover of the machine.

Fix: API validation has been strengthened and insecure APIs have been removed.

ADSelfService Plus fixed this vulnerability in build 6114.

E-mail MIME injection (CVE-2021-37420)

Severity: Critical

This vulnerability allows unauthenticated attackers to send emails about any content to domain users by sending specially crafted requests to to "/RestAPI/PasswordSelfServiceAPI" endpoint.

Fix: Data sent to the "ACTION_TO_PERFORM" parameter is validated against a defined whitelist of accepted actions and the unknown actions are blocked.

ADSelfService Plus fixed this vulnerability in build 6112.

Boolean SQL injection (CVE-2021-37422)

Severity: High

This vulnerability allows for Boolean SQL injection attacks in the Oracle Database to be carried out by adding an unsanitized user input into the SQL query that manually links the account to the database. The injection could be followed by the exfiltration of information stored in the database.

Fix: Special characters are properly sanitized before the string is added into the SQL query.

ADSelfService Plus fixed this vulnerability in build 6112.

Account takeover via machine account creation (CVE-2021-37424)

Severity: High

This vulnerability can lead to domain administrator account takeover by exploiting the product's program code to remove leading whitespaces in the username field. An attacker can create a machine account with the username " Administrator" and use it to log in to ADSelfService Plus. With the leading whitespace removed, the attacker is logged in as the "Administrator" which is the domain administrator account. The attacker can then alter the enrollment information saved in the product, change the domain administrator account's password, and compromise the AD domain.

Fix: Leading and trailing whitespace characters must not be stripped from provided usernames. If the text is used in the LDAP search filter, leading and trailing space characters must be properly encoded.

ADSelfService Plus fixed this vulnerability in build 6112.

Server-side request forgery (SSRF) attack in the high availability environment (CVE-2021-37419)

Severity: High

This vulnerability allows attackers to conduct an SSRF attack by sending POST requests from the ADSelfService Plus primary server in the high availability setup to the /servlet/ADSHACluster endpoint without authentication. Parameters can also be injected into the POST request body.

Fix: Data provided in the haAuthKey and MASTER_SERVER_URL JSON parameters must be properly sanitized.

Either the MASTER_SERVER_URL parameter should be validated against a whitelist or vulnerable endpoints should be restricted only for authorized users.

ADSelfService Plus fixed this vulnerability in build 6112.

Account takeover issue (CVE-2021-37927)

Severity: High

This vulnerability allows attackers to intercept the samlResponse attribute value returned by the Identity Provider during SAML SSO logins, modify the email ID provided in the in NameId field, and takeover a user account without the signature.

Fix: Enforced SAML signature verification.

ADSelfService Plus fixed this vulnerability in build 6110.

Remote code authentication using PowerShell injection (CVE-2021-33055)

Severity: High

A vulnerability that exploits discrepancies in encoding and decoding the special quote character in user input parameters to perform unauthenticated and authenticated remote code execution through PowerShell injection.

Fix: Completely encode all parameter values to base64 before passing them on to PowerShell.

ADSelfService Plus fixed this vulnerability in build 6105.

CAPTCHA bypass vulnerability (CVE-2021-37417)

Severity: Medium

A vulnerability that allows users to bypass the CAPTCHA in the ADSelfServie Plus login page by using the EXCLUDE_CAPTCHA parameter in the /j_security_check URL, which could lead to brute-force attacks.

Fix: Remove the EXCLUDE_CAPTCHA flag to prevent it from being processed by the parameter.

ADSelfService Plus fixed this vulnerability in build 6104.

Cross-Site-Scripting attack (CVE-2021-27956)

Severity: High

A rare vulnerability that may lead to Cross-Site Scripting attacks in the email address field used in the employee search feature.

Fix:.

  • All user controlled content is encoded before being reflected back to users.
  • <should be replaced with < and the same for other characters such as ", >, ;. etc.

ADSelfService Plus fixed this vulnerability in build 6104.

Reflected Cross-Site-Scripting attack (CVE-2021-37416)

Severity: Medium

This vulnerability makes ADSelfService Plus prone to Reflected Cross-Site-Scripting attack via the single_signout parameter in the /LoadFrame endpoint, potentially leading to victim's account takeover.

Fix: Special characters are sanitized before the string is added into the HTML code.

ADSelfService Plus fixed this vulnerability in build 6104.

Database application information exposure (CVE-2021-31874)

Severity: High

A vulnerability that, in rare cases, allows attackers to expose information about the database application configured for password synchronization by exploiting the HOST_NAME parameter sent when linking accounts with that database.

Fix: The HOST_NAME parameter provided by the user is not processed by the application, instead, the HOST_NAME value provided by the administrator during application configuration is used.

ADSelfService Plus fixed this vulnerability in build 6104.

Admin portal access restriction bypass via X-Forwarded-For header (CVE-2021-37421)

Severity: Medium

ADSelfService Plus allows IT administrators to restrict admin portal access based on IP addresses. An attacker can bypass this security mechanism using the "X-Forwarded-For" header set to the whitelisted IP address.

Fix: Content of X-Forwarded-For header should not be taken as the source IP address, since it could be modified by user.

ADSelfService Plus fixed this vulnerability in build 6104.

Unauthenticated remote code execution during password change function (CVE-2021-28958)

Severity: High

This vulnerability arises due to improper sanitization of the double quotes character when user password change is performed using PowerShell scripts, making the PowerShell scripts prone to injection and remote code execution.

Fix: Special characters are properly encoded before the string is added into PowerShell script.

ADSelfService Plus fixed this vulnerability in build 6102.

Fixed ciphering keys (CVE-2019-7161)

Severity: High

This vulnerability arose as ADSelfService Plus used hard-coded ciphering keys to protect information, giving the capacity for an attacker to decipher any protected data.

Fix:

  • Upgraded the Mickeylite Framework.
  • Added instance-specific ADS Secret Keys.

ADSelfService Plus fixed this vulnerability in build 6100.

Improper authorization (ZVE-2020-4164)

Severity: Medium

This vulnerability caused improper authorization of end user-actions.

Fix: Proper authorization has been provided for end-user actions.

ADSelfService Plus fixed this vulnerability in build 6100.

Unauthenticated remote code execution (CVE-2020-11552)

Severity: High

This vulnerability occurs when the product does not properly enforce user privileges associated with the Windows Certificate dialog. This allows an unauthenticated attacker to remotely execute commands with system-level privileges on the target Windows host.

Fix: A custom control site has been created to stop showing certificate-related security alerts that caused the problem.

ADSelfService Plus fixed this vulnerability in build 6003.

ManageEngine product integrations bypassing authentication

Severity: High

This vulnerability allows attackers to integrate with other ManageEngine products, bypassing the authentication check.

Fix: Unauthorized calls have been restricted.

ADSelfService Plus fixed this vulnerability in build 5817.

Remote code execution vulnerability

Severity: High

This vulnerability allows a remote attacker to compromise vulnerable systems. It exists due to the insufficient validation of user-supplied input. A remote non-attacker can pass specially crafted input to the application, and execute an arbitrary code on the target system.

Fix: Disabled access to the endpoint /cewolf.

ADSelfService Plus fixed this vulnerability in build 5815.

Predictable handshake key vulnerability

Severity: Medium

This vulnerability allows a remote attacker to predict the handshake key and compromise vulnerable systems.

ADSelfService Plus fixed this vulnerability in build 5815.

Authentication bypass in ADSelfService Plus

Severity: High

This vulnerability allows an attacker to gain access to a computer's File Explorer through the ADSelfService Plus login agent by using self-signed SSL certificates.

Fix: The vulnerability has been resolved by enabling the RESTRICT_BAD_CERT flag by default.

ADSelfService Plus fixed this vulnerability in build 5814.

XSS vulnerability due to mobile app API

Severity: Medium

This vulnerability allows an attacker to exploit the connections that users have with insecure applications. An attacker can masquerade as a user, conduct any actions that the user can perform, and access any of the user's data.

Fix: The reflected malicious content is escaped (skipped or removed) so that it is not parsed as HTML.

ADSelfService Plus fixed this vulnerability in build 5708.

SSRF vulnerability

Severity: Medium

Server-side request forgery (also known as SSRF) is a vulnerability that allows an attacker to induce a server-side application to send HTTP requests to an arbitrary domain chosen by the attacker. This can result in access to data inside the company, either in the insecure application itself or in other back-end systems that the application communicates with.

ADSelfService Plus fixed this vulnerability in build 5703.

Injection vulnerability in Windows and Linux login agents

Severity: High

This vulnerability allows the attacker to exploit the ADSelfService Plus client software and gain SYSTEM privileges on a Windows or Linux computer by having physical access to it.

Fix:

  • All the elements that are not required from Internet Explorer are blocked.
  • All services are run as a local limited user.
  • Content is hosted locally, and Web APIs are used to transmit data.

A security update has been released to fix this vulnerability.

ADSelfService Plus fixed this vulnerability in build 5802.

XML external entity vulnerability

Severity: High

XML external entity injection (also known as XXE) is a cybersecurity vulnerability that allows an attacker to intervene with XML data processing of an application. It also allows an intruder to view files on the application server file system and communicate with any back-end or external systems accessible to the application.

Fix: The vulnerable JAR files have been removed and updated with proper files. ADSelfService Plus fixed this vulnerability in build 5701.

HttpOnly flag missing from cookies

Severity: Low

The absence of the HttpOnly flag in cookies increases the risk of a client-side script accessing cookies, which can lead to a cross-site request forgery (CSRF) attack.

Fix: ADSelfService Plus includes the HttpOnly flag in cookies. When a client-side script attempts to read the cookie, the browser returns an empty string as a result. ADSelfService Plus fixed this vulnerability in build 5520, on May 31, 2018.

Exploiting the unused HTTP methods

Severity: Low

HTTP methods such as GET, HEAD, TRACE, PUT, DELETE, and OPTIONS are subject to attacks and pose security threats to web applications. For instance, TRACE is used to echo a string sent to the web server back to the client. Though TRACE was initially crafted for debugging purposes, it can be used to mount a cross-site tracing (XST) attack against servers.

Fix: ADSelfService Plus blocks the unused HTTP methods like GET, HEAD, DELETE TRACE, and OPTIONS.

ADSelfService Plus fixed this vulnerability in build 5517, on April 17, 2018.

Vulnerabilities in the older versions of jQuery

Severity: High

Earlier versions of jQuery contain security vulnerabilities.

Fix: ADSelfService Plus has upgraded the jQuery bundle from 1.8.1 to 1.12.2 in build 5517, on April 17, 2018.

Unrestricted file upload vulnerability

Severity: High

In this type of vulnerability, an attacker uploads a multipart or form-data POST request with a specially-crafted filename or MIME type, which leads to cross-site scripting (XSS) and execution of malicious code on the server's side. 

Fix: ADSelfService Plus uses a whitelist filter during file uploads. It only accepts PNG, HTML, CSV, PDF, XLS, XLXS, and CSVDE formats.

ADSelfService Plus fixed this vulnerability in build 5516, on March 29, 2018.

Server-side request forgery vulnerability

Severity: High

In a server-side request forgery (SSRF) attack, an attacker modifies an existing URL or provides a new URL to be sent to the server. When this manipulated URL request is handled by the server, the server reads or submits data to the manipulated URL. Usually, the attacker targets the NTLM hash of specific accounts to access the resources linked to that account.

Fix: ADSelfService Plus has upgraded the dd-plist.jar file (default location: Installation Directory\lib\dd-plist.jar) in build 5516, on March 29, 2018.

Reflected XSS vulnerability

Severity: High

The reflected XSS vulnerability is specifically designed to attack websites a user is visiting. When a user clicks on a malicious link in a trusted site, a script is injected into the request, which travels to the server and gets reflected off in such a way that the HTTP response includes the malicious script. The browser executes the malicious script because that script came from a "trusted" server.

Fix: ADSelfService Plus sanitizes the script of characters like <>, &, ', and " present in the query parameters.

ADSelfService Plus fixed this vulnerability in build 5516, on March 29, 2018.

Bypassing client-side validations

Severity: High

By exploiting this vulnerability, an attacker bypasses the client-side input validation for targeted content, say, password fields.

Attackers usually bypass a web application's input validations by either removing JavaScript using a web developer tool or by handling the HTTP request (using a proxy tool) in a way that it does not go through the browser.

Fix: There's no fix needed for this vulnerability. ADSelfService Plus is immune to this vulnerability as it practices both client-side and server-side validation.

Information leakage through comments

Severity: Low

Information leakage occurs when an application unintentionally discloses sensitive data, such as the technical details of a network or application, or user-specific data. Depending on what data is leaked, it could be used by an attacker to exploit the target web application, its hosting network, or the application's users.

Fix: ADSelfService Plus' programmers have made sure to remove sensitive information that might've been disclosed through comments in the source code.

Fingerprinting the web server

Severity: Low

Exploiting the security vulnerabilities of any application is easier when the attackers know the platform on which the web application is built. Though the HTTP headers are mostly used to provide information for effective handling of requests and responses, they can also be exploited by attackers to identify the web server used and its version.

Fix: No fix is needed for this vulnerability. ADSelfService Plus is immune to this vulnerability as it adds a server tag in the server.xml file (default location: Installation Directory/conf) to hide the actual web server.

Sample:

<Connector port="8888" name="WebServer" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" redirectPort="8443" acceptCount="100" connectionTimeout="20000" disableUploadTimeout="true" URIEncoding="UTF-8"  server="ADSSP" />

Simultaneous session logins

Severity: Medium

An application designed to accept concurrent logins can lead to a malicious user inputting valid credentials at the same time as that of a legitimate user to authenticate themselves in the network. This could lead to security issues within the organization like misuse of the user's personal information to perform unauthorized actions.

Fix: ADSelfService Plus' Deny Concurrent Login feature prevents users from running multiple sessions at once in the product.

ADSelfService Plus fixed this vulnerability in build 5517, in April 2018.

Cross-site scripting (XSS) vulnerabilities

Severity: High

XSS attacks involve an attacker injecting a client-side script in the target application. The end user’s browser has no way of knowing that the script shouldn't be trusted, and will execute the malicious script.

Fix: Remove the # at the beginning of X-XSS-Protection in the security_params.xml file (default location: Installation Directory/conf) and set it to 1. Most browsers recognize this header, and they will take necessary actions to prevent XSS attacks upon seeing this header. 

Below is what the header will look like after the fix:

 X-XSS-Protection=1

ADSelfService Plus fixed this vulnerability in build 4500.

Cross-site request forgery (CSRF) vulnerability

Severity: High

CSRF is an attack that tricks a web browser into executing an unwanted command in an application that a user is logged in to. This is accomplished by a user inadvertently clicking a malicious link on a legitimate website. This sends a HTTP request the user did not intend to raise, which includes a cookie header that contains the user's session ID. Also, because the application authenticates the user at the time of the attack, it’s impossible for the application to distinguish between legitimate and forged requests.

Fix: ADSelfService Plus sends out every request with a token. This wards off the execution of actions that do not provide necessary authentication tokens.

ADSelfService Plus fixed this vulnerability in build 5300, in April 2015.

Cross-frame scripting (XSF)/Clickjacking

Severity: High

In cross-frame scripting, a user is tricked into clicking on something different than what they thought they were clicking on, making them inadvertently reveal sensitive information or execute an unintended command. Typically, cross-frame scripting is accomplished when an attacker embeds malicious iFrames in a legitimate website to deceive users into entering their information. When a user enters their credentials into the legitimate site within the iFrame, the malicious JavaScript keylogger records the victim’s keystrokes and sends them to the attacker’s server.

Fix: Remove the # at the beginning of the x-frame-options in the security_params.xml file (default location: Installation Directory/conf) and set it to SAMEORIGIN. This fix does not allow other sites to load ADSelfService Plus in their iFrames.

Below is what the header request will look like after the fix:

x-frame-options=SAMEORIGIN

ADSelfService Plus fixed this vulnerability in build 5300, in April 2015.

Weak cache policy or server cache policy

Severity: Medium

A browser page stores cached content on a user's machine so that it doesn't have to download content every time the user opens that page. Even in secure SSL channels, sensitive data can be stored by proxies and SSL terminators. If an attacker exploits the browser's cache, sensitive data such as credit card details and usernames are at risk.

Fix: Every HTTP page in ADSelfService Plus is set with Cache-Control, Pragma, and Expires response headers to prevent caching of any data. To enable this fix, you'll have to remove the # at the beginning of cache-control=no-cache, no-store in the security_params.xml file (default location: Installation Directory/conf).

Below is what the header request will look like after the fix:

cache-control=no-cache, no-store

ADSelfService Plus fixed this vulnerability in build 5300, in April 2015.

MIME-SNIFFING

Severity: Low

When there isn't enough metadata to determine the content type of data, most browsers, notably Microsoft Internet Explorer, attempt to determine the correct content type with a technique called MIME (also known as media type) sniffing. However, attackers exploit this technique by manipulating the browser to interpret data in a way that allows for unexpected operations, such as cross-site scripting.

Fix: Remove the # at the beginning of the x-content-type and set it to nosniff in the security_params.xml file.

Below is what the header request will look like after the fix:

x-content-type=nosniff

ADSelfService Plus fixed this vulnerability in build 5300, in April 2015.

Insecure wildcard cross-origin resource sharing (CORS)

Severity: High

Cross-origin resource sharing (CORS) is a standard that defines a set of headers that allow a server and a browser to determine which requests for cross-domain resources are permitted and which are not. The downside of this standard is that it fails to validate/whitelist requestors when the access-control-allow-origin is set to ‘*’. This symbol is a wildcard and setting access control to * essentially allows any domain on the web to access that site’s resources.

Fix: Set the access-control-allow-origin to a specific domain name to fix the CORS vulnerability. ADSelfService Plus fixed this vulnerability in build 5300, in April 2015.

Browser auto-complete issue

Severity: Low

Most browsers make a cached copy of a user's credentials that are entered into HTML forms. This function stores credentials on a user’s machine, enabling a faster response the next time that user attempts to access the application. This vulnerability can be exploited by an attacker with local access, allowing them to view clear text passwords from the browser cache.

Fix: ADSelfService Plus doesn't allow the auto-complete feature to be used in its password fields.

ADSelfService Plus fixed this vulnerability in build 5300, in April 2015. 

Missing HTTPOnly flag and secure flag in the session cookies

Severity: Low

If a session cookie doesn't have an HttpOnly flag, the cookie can be accessed through JavaScript. Essentially this means that an XSS attack could lead to cookies being stolen, which in turn could lead to an account or session takeover.

Fix: Enable SSL in ADSelfService Plus, then set the HTTPOnly flag and the secure flag for session cookies. Doing so makes the browser return an empty string as a result when a client-side script attempts to read cookies. ADSelfService Plus fixed this vulnerability in build 5300, in April 2015.

SHA1WithRSA vulnerabilities

Severity: High

Using SHA1WithRSA causes a collision vulnerability, which allows an attacker to create two input strings with the same SHA-1 hash with less computational power than it should take for a good hash function. 

Fix: ADSelfService Plus uses SHA256WithRSAENCRYPTION by default to overcome this security vulnerability.

ADSelfService Plus fixed this vulnerability in build 5300, in April 2015.

Session fixation

Severity: High

In this vulnerability, an attacker targets the limitations of the application's session ID management. When the malicious user visits the application, they're assigned a session ID. The attacker makes note of this session ID and leaves the browser open. If another user on the same machine authenticates themselves in the application without closing the browser, they'll be logged in with the session ID set by the attacker. The attacker can use this information to gain complete access to the user's application account until that session ends. This can lead to potential security issues as the attacker can use this access to change the user's password.

Fix: ADSelfService Plus creates new session IDs for every successful authentication (i.e. for every new session).

ADSelfService Plus fixed this vulnerability in build 5300, in April 2015.

SQL Injection through framework build

Severity: High

SQL injection occurs when an attacker adds or injects malicious code into a SQL statement executed by the web application. A successful SQL injection allows attackers to spoof a user's identity, tamper with existing data, and even gain complete control over the web application's server.

Fix: Database operations for ADSelfService Plus are handled through our internal framework to prevent SQL injections and other similar attacks. 

Weak SSL cipher

Severity: High

Every application depends on the protection of three parameters, known collectively known as a cipher suite: authentication, encryption, and hashing algorithms. An application relying on SSL/TLS for data transmissions with weak ciphers leaves the application unprotected and allows an attacker to steal or manipulate sensitive data.

Fix: Add the strong ciphers provided below to ADSelfService Plus in the server.xml file (default location: Installation Directory/conf).

ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" allowUnsafeLegacyRenegotiation="false" server="Adselfservice Plus" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2" compression="off" 

Example:

<Connector SSLEnabled="true" acceptCount="100" compression="off"  ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" clientAuth="false" connectionTimeout="-1" debug="0" disableUploadTimeout="true" enableLookups="false" keystoreFile="./conf/server.keystore" keystorePass="adventnet" maxSpareThreads="75" maxThreads="150" minSpareThreads="25" name="SSL" port="9251" scheme="https" secure="true" allowUnsafeLegacyRenegotiation="false" server="AdselfservicePlus" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2" />

 If you encounter any other errors not listed above, please email us at support@adselfserviceplus.com, or give us a call at +1.408.916.9890.

Visit: www.adselfserviceplus.com

ADSelfService Plus trusted by