I did find several notes and articles regarding this, but they were all old and not up to date.
Several Qlik services popped up in security scans over the last few weeks (proxy, license, webchat, hybrid deployment...).
We then configured the ciphers for the license service manually:
-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
Unfortunately, that still leaves me with ciphers with no forward secrecy. If I remove the RSA ciphers, Qlik does not work anymore, probably because the other services can not talk to the license service anymore.
This is also the case for other Qlik services (webchat and others). We already had to remove all CBC ciphers system wide (because of the Goldendoodle vulnerability of the Qlik Proxy), and we now need to disable all RSA ciphers also (see https://support.qlik.com/articles/000115202).
That in turn makes Qlik not work anymore. So we are now stuck in a situation where we can not further limit the list off allowed ciphers because it makes Qlik not work anymore, and we can not allow other ciphers (CBC), because it will open up old security issues (namely regarding the Qlik proxy).
I would be very happy if someone could please point me in a direction where I can find a collection of ciphers and settings that I can enable so the various Qlik services are using up to date ciphers with forward secrecy and everything still works. I was not able to find anything like that so far.
Probably something like this, but with updated ciphers:
https://community.qlik.com/t5/Support-Knowledge-Base/TLS-and-SSL-Support-in-Qlik-Sense-How-to-config...
I attached our current system wide cipher configuration that works, but leaves security findings regarding all DotNet services from services.conf.
