inSync Master Server 5.9.8 does not support Forward Secrecy
This article applies to:
- OS: All supported operating systems
- Product edition: inSync On-Premise
Problem description
Forward secrecy (also called perfect forward secrecy) is a protocol feature that enables secure conversations that are not dependent on the private key of the server. With cipher suites that do not provide forward secrecy, someone who can recover a server’s private key can decrypt all the encrypted conversations recorded earlier. inSync must support and prefer ECDHE suits to enable forward secrecy with the modern web browsers. To support a wider range of clients, DHE suits must be used as a fall back after ECDHE to enable forward secrecy with the modern web browsers.
For more information and error description, see: https://www.ssllabs.com/ssltest/analyze.html?d=ebk.quest-global.com
Resolution
At this time the product is working as designed. Druva recognizes that this is an identified vulnerability that requires attention and working to address this in future releases of the product. At this time this has been identified and is addressed in the 5.9.9 release