SSL Medium Strength Cipher Suites Supported vulnerability

Kind of an odd thing.  We just had a vulnerability scan and a 2960 got pinged for supporting medium strength SSL cipher suites.  I say strange cause I have 3 others that have the same IOS image and they didn't get pinged.  Swap out the management IP address and they are all the same.  They are all running 12.2(52)SE C2960-LANBASEK9-M, with a 768 bit keys.  Here is the text of the vulnerability :
Synopsis : The remote service supports the use of medium strength SSL ciphers. Description : The remote host supports the use of SSL ciphers that offer medium strength encryption, which we currently regard as those with key lengths at least 56 bits and less than 112 bits.
Reconfigure the affected application if possible to avoid use of medium strength ciphers. / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) Plugin output : Here are the medium strength SSL ciphers supported by the remote server : Medium Strength Ciphers (>= 56-bit and < 112-bit key) SSLv3 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 TLSv1 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}
Can someone point me in the right direction on how to re-configure the switch to pass this test?
Thanks
Poirot

I believe the alert there is because you are using a 768 key which was broken recently (Jan 2010 a paper was published on it with results from efforts that took 4 years to break 768 keys). 768bit RSA keys is not considered secure enough any more.
I would suggest you to configure keys of 1024 on these switches and try again.
I hope it helps.
PK

Similar Messages

  • Cisco Prime Infrastucture vulnerability SSL RC4 Cipher Suites Supported

    Hi All,
    I have a question on how to disable RC4 Cipher Suites Supported on Cisco Prime Infrastructure Platform.
    My Client have use Nessus Software to scan on prime. and found on below vulnerability
    SSL RC4 Cipher Suites Supported
    Cisco prime infrastructure deploy on latest 2.1
    we have gain the root access and modifier the ssl.conf and restart the service also unable to solve.
    /opt/CSCOlumos/httpd/ssl/backup/ssl.conf
    /opt/CSCOlumos/httpd/ssl/ssl.conf
    C:\Program Files\Tenable\Nessus>nessuscmd -v -p 443 -i 21643 192.168.1.55
    Starting nessuscmd 5.2.7
    Scanning '192.168.1.55'...
    Host 192.168.1.55 is up
    Discovered open port https (443/tcp) on 192.168.1.55
    [i] Plugin 21643 reported a result on port https (443/tcp) of 192.168.1.55
    + Results found on 192.168.1.55 :
       - Port https (443/tcp) is open
         [i] Plugin ID 21643
          | Here is the list of SSL ciphers supported by the remote server :
          | Each group is reported per SSL Version.
          | SSL Version : TLSv1
          |   Medium Strength Ciphers (>= 56-bit and < 112-bit key)
          |       DES-CBC-SHA                  Kx=RSA         Au=RSA      Enc=DES-C
          | C(56)          Mac=SHA1
          |       RC4-MD5                      Kx=RSA         Au=RSA      Enc=RC4(1
          | 8)             Mac=MD5
          |       RC4-SHA                      Kx=RSA         Au=RSA      Enc=RC4(1
          | 8)             Mac=SHA1
          |
          | SSL Version : SSLv3
          |   Medium Strength Ciphers (>= 56-bit and < 112-bit key)
          |       DES-CBC-SHA                  Kx=RSA         Au=RSA      Enc=DES-C
          | C(56)          Mac=SHA1
          |       DES-CBC-SHA                  Kx=RSA         Au=RSA      Enc=DES-C
          | C(56)          Mac=SHA1
          |   High Strength Ciphers (>= 112-bit key)
          |       EDH-RSA-DES-CBC3-SHA         Kx=DH          Au=RSA      Enc=3DES(
          | 68)            Mac=SHA1
          |       RC4-MD5                      Kx=RSA         Au=RSA      Enc=RC4(1
          | 8)             Mac=MD5
          |       RC4-SHA                      Kx=RSA         Au=RSA      Enc=RC4(1
          | 8)             Mac=SHA1
          | The fields above are :

    Hi ,
    "SSL RC4 Cipher Suites Supported" has been documented in bug CSCum03709. 
    CSCum03709    PI 2.0.0.0.294 with SSH vulnerabilities
    Presently, there is no workaround for this vulnerability, however, the fix will be implemented in
    Prime Infrastructure 2.2.which is planned to be released around the end of this year ( tentative)
    Thanks-
    Afroz
    ***Ratings Encourages Contributors ***

  • Weak cipher suites supported on WCS port 8082

    Hi
    Port 8082 is used for health monitoring in WCS, a web service is running on this port so we can login via web and check the status.
    I would like to know, is there a way to limit the cipher suite supported on this port? For port 443, this can be done by modify the Apache configuration file, however this doesn't work for 8082. The version is 5.2.148.0.
    Thanks and Regars,
    Leo

    Hi ,
    "SSL RC4 Cipher Suites Supported" has been documented in bug CSCum03709. 
    CSCum03709    PI 2.0.0.0.294 with SSH vulnerabilities
    Presently, there is no workaround for this vulnerability, however, the fix will be implemented in
    Prime Infrastructure 2.2.which is planned to be released around the end of this year ( tentative)
    Thanks-
    Afroz
    ***Ratings Encourages Contributors ***

  • SSL and TLS Cipher Suites

    Hello,
    I am tying to use the SSLContext class in a nonblocking IO application with "TLS" protocol in Server mode.
    I am seeing a "no cipher suites in common" error message during the handshake.
    The Client is requesting for "TLS_RSA_WITH_RC4_128_MD5" but this cipher is not available (verified from the list returned by SSLEngine.getSupportedCipherSuites()).
    I have the following questions.
    1> Are SSL_RSA_WITH_RC4_128_MD5 and TLS_RSA_WITH_RC4_128_MD5 the same?
    2>Is it possible for me to register TLS_RSA_WITH_RC4_128_MD5 as an alias for SSL_RSA_WITH_RC4_128_MD5?
    3> How can I get the Server to recognize TLS_RSA_WITH_RC4_128_MD5?
    Thanks,
    arun.

    Hello,
    I am tying to use the SSLContext class in
    a nonblocking IO application with "TLS" protocol in
    Server mode.
    I am seeing a "no cipher suites in common" error
    message during the handshake.
    The Client is requesting for
    "TLS_RSA_WITH_RC4_128_MD5" but this cipher is not
    available (verified from the list returned by
    SSLEngine.getSupportedCipherSuites()).
    I have the following questions.
    1> Are SSL_RSA_WITH_RC4_128_MD5 and
    TLS_RSA_WITH_RC4_128_MD5 the same?Yes
    2>Is it possible for me to register
    TLS_RSA_WITH_RC4_128_MD5 as an alias for
    SSL_RSA_WITH_RC4_128_MD5?Shouldn't be necessary, as they are compared by RFC2246 value, not by name.
    3> How can I get the Server to recognize
    TLS_RSA_WITH_RC4_128_MD5?Do the client and server both create their SSLContexts with "TLS". Do either of them modify the enabled cipher suites? Does the server have an RSA certificate?

  • Supported Cipher  suites.

    Hi All,
    I am successfully communicating with the server using HTTPS with HttpsConnection from my J2ME Midlet. I am using APACHE as HTTP Server. However, the best cipher suite negutiated between the device and the server used by HTTPS was DES-CBC3-SHA. As you can see, it uses DES, which is not quite as secure as AES.However despite a lot of effort, i am just not able to get it to use an AES cipher suite. Is AES part of any supported cipher suite by MIDP? If not, can anyone tell me how i can enumeration the cipher suites supported on the MIDLet?
    Thanks in advance
    Edited by: AUTOMATON on Sep 14, 2007 3:38 AM

    @superena,
    Thanks for the links, but they actually dont give me the info I need. What I want to do is to find out how many SSL cipher suites are supported by J2ME. I mean if there is a list somewhere, of if i can write a program that can enumerate them for me..

  • SSLHandshakeException: no Cipher suits in common

    Hi
    I have created a self signed certificate using keytool utility using RSA algorithm, key algorithm as SHA1WITHRSA. When I am trying to proxy the requests from IIS 7.5, I am getting below exception in weblogic logs.
    Please let me know how do I go about debugging this.
    <26 Nov, 2014 7:29:42 PM IST> <Debug> <SecuritySSL> <BEA-000000> <DynamicJSSEListenThread[DefaultSecure] 33 cipher suites enabled:>
    <26 Nov, 2014 7:29:42 PM IST> <Debug> <SecuritySSL> <BEA-000000> <TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256>
    <26 Nov, 2014 7:29:42 PM IST> <Debug> <SecuritySSL> <BEA-000000> <TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256>
    <26 Nov, 2014 7:29:42 PM IST> <Debug> <SecuritySSL> <BEA-000000> <TLS_RSA_WITH_AES_128_CBC_SHA256>
    <26 Nov, 2014 7:29:42 PM IST> <Debug> <SecuritySSL> <BEA-000000> <TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256>
    <26 Nov, 2014 7:29:42 PM IST> <Debug> <SecuritySSL> <BEA-000000> <TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256>
    <26 Nov, 2014 7:29:42 PM IST> <Debug> <SecuritySSL> <BEA-000000> <TLS_DHE_RSA_WITH_AES_128_CBC_SHA256>
    <26 Nov, 2014 7:29:42 PM IST> <Debug> <SecuritySSL> <BEA-000000> <TLS_DHE_DSS_WITH_AES_128_CBC_SHA256>
    <26 Nov, 2014 7:29:42 PM IST> <Debug> <SecuritySSL> <BEA-000000> <TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA>
    <26 Nov, 2014 7:29:42 PM IST> <Debug> <SecuritySSL> <BEA-000000> <TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA>
    <26 Nov, 2014 7:29:42 PM IST> <Debug> <SecuritySSL> <BEA-000000> <TLS_RSA_WITH_AES_128_CBC_SHA>
    <26 Nov, 2014 7:29:42 PM IST> <Debug> <SecuritySSL> <BEA-000000> <TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA>
    <26 Nov, 2014 7:29:42 PM IST> <Debug> <SecuritySSL> <BEA-000000> <TLS_ECDH_RSA_WITH_AES_128_CBC_SHA>
    <26 Nov, 2014 7:29:42 PM IST> <Debug> <SecuritySSL> <BEA-000000> <TLS_DHE_RSA_WITH_AES_128_CBC_SHA>
    <26 Nov, 2014 7:29:42 PM IST> <Debug> <SecuritySSL> <BEA-000000> <TLS_DHE_DSS_WITH_AES_128_CBC_SHA>
    <26 Nov, 2014 7:29:42 PM IST> <Debug> <SecuritySSL> <BEA-000000> <TLS_ECDHE_ECDSA_WITH_RC4_128_SHA>
    <26 Nov, 2014 7:29:42 PM IST> <Debug> <SecuritySSL> <BEA-000000> <TLS_ECDHE_RSA_WITH_RC4_128_SHA>
    <26 Nov, 2014 7:29:42 PM IST> <Debug> <SecuritySSL> <BEA-000000> <SSL_RSA_WITH_RC4_128_SHA>
    <26 Nov, 2014 7:29:42 PM IST> <Debug> <SecuritySSL> <BEA-000000> <TLS_RSA_WITH_RC4_128_SHA>
    <26 Nov, 2014 7:29:42 PM IST> <Debug> <SecuritySSL> <BEA-000000> <TLS_ECDH_ECDSA_WITH_RC4_128_SHA>
    <26 Nov, 2014 7:29:42 PM IST> <Debug> <SecuritySSL> <BEA-000000> <TLS_ECDH_RSA_WITH_RC4_128_SHA>
    <26 Nov, 2014 7:29:42 PM IST> <Debug> <SecuritySSL> <BEA-000000> <TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA>
    <26 Nov, 2014 7:29:42 PM IST> <Debug> <SecuritySSL> <BEA-000000> <TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA>
    <26 Nov, 2014 7:29:42 PM IST> <Debug> <SecuritySSL> <BEA-000000> <SSL_RSA_WITH_3DES_EDE_CBC_SHA>
    <26 Nov, 2014 7:29:42 PM IST> <Debug> <SecuritySSL> <BEA-000000> <TLS_RSA_WITH_3DES_EDE_CBC_SHA>
    <26 Nov, 2014 7:29:42 PM IST> <Debug> <SecuritySSL> <BEA-000000> <TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA>
    <26 Nov, 2014 7:29:42 PM IST> <Debug> <SecuritySSL> <BEA-000000> <TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA>
    <26 Nov, 2014 7:29:42 PM IST> <Debug> <SecuritySSL> <BEA-000000> <SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA>
    <26 Nov, 2014 7:29:42 PM IST> <Debug> <SecuritySSL> <BEA-000000> <TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA>
    <26 Nov, 2014 7:29:42 PM IST> <Debug> <SecuritySSL> <BEA-000000> <SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA>
    <26 Nov, 2014 7:29:42 PM IST> <Debug> <SecuritySSL> <BEA-000000> <TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA>
    <26 Nov, 2014 7:29:42 PM IST> <Debug> <SecuritySSL> <BEA-000000> <SSL_RSA_WITH_RC4_128_MD5>
    <26 Nov, 2014 7:29:42 PM IST> <Debug> <SecuritySSL> <BEA-000000> <TLS_RSA_WITH_RC4_128_MD5>
    <26 Nov, 2014 7:29:42 PM IST> <Debug> <SecuritySSL> <BEA-000000> <TLS_EMPTY_RENEGOTIATION_INFO_SCSV>
    <26 Nov, 2014 7:29:42 PM IST> <Debug> <SecuritySSL> <BEA-000000> <[Thread[DynamicJSSEListenThread[DefaultSecure],9,WebLogicServer]]weblogic.security.SSL.jsseadapter: SSLENGINE: SSLEngine.setWantClient
    Auth(boolean): value=false.>
    <26 Nov, 2014 7:29:42 PM IST> <Debug> <SecuritySSL> <BEA-000000> <[Thread[DynamicJSSEListenThread[DefaultSecure],9,WebLogicServer]]weblogic.security.SSL.jsseadapter: SSLENGINE: SSLEngine.setUseClientM
    ode(boolean): value=false.>
    <26 Nov, 2014 7:29:42 PM IST> <Debug> <SecuritySSL> <BEA-000000> <[Thread[[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)',5,Pooled Threads]]weblogic.security.SSL.jsseada
    pter: SSLENGINE: SSLEngine.unwrap(ByteBuffer,ByteBuffer[]) called: result=Status = OK HandshakeStatus = NEED_TASK
    bytesConsumed = 52 bytesProduced = 0.>
    <26 Nov, 2014 7:29:42 PM IST> <Debug> <SecuritySSL> <BEA-000000> <[Thread[[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)',5,Pooled Threads]]weblogic.security.SSL.jsseada
    pter: SSLENGINE: Exception occurred during SSLEngine.wrap(ByteBuffer,ByteBuffer).
    javax.net.ssl.SSLHandshakeException: no cipher suites in common
            at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1362)
            at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:513)
            at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1197)
            at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1169)
            at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469)
            at weblogic.security.SSL.jsseadapter.JaSSLEngine$1.run(JaSSLEngine.java:68)
            at weblogic.security.SSL.jsseadapter.JaSSLEngine.doAction(JaSSLEngine.java:732)
            at weblogic.security.SSL.jsseadapter.JaSSLEngine.wrap(JaSSLEngine.java:66)
            at weblogic.socket.JSSEFilterImpl.wrapAndWrite(JSSEFilterImpl.java:619)
            at weblogic.socket.JSSEFilterImpl.doHandshake(JSSEFilterImpl.java:91)
            at weblogic.socket.JSSEFilterImpl.doHandshake(JSSEFilterImpl.java:64)
            at weblogic.socket.JSSEFilterImpl.isMessageComplete(JSSEFilterImpl.java:282)
            at weblogic.socket.SocketMuxer.readReadySocketOnce(SocketMuxer.java:962)
            at weblogic.socket.SocketMuxer.readReadySocket(SocketMuxer.java:889)
            at weblogic.socket.JavaSocketMuxer.processSockets(JavaSocketMuxer.java:339)
            at weblogic.socket.SocketReaderRequest.run(SocketReaderRequest.java:29)
            at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
            at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
    Caused By: javax.net.ssl.SSLHandshakeException: no cipher suites in common
            at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
            at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1639)
            at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:278)
            at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:266)
            at sun.security.ssl.ServerHandshaker.chooseCipherSuite(ServerHandshaker.java:892)
            at sun.security.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:620)
            at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:167)
            at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
            at sun.security.ssl.Handshaker$1.run(Handshaker.java:808)
            at sun.security.ssl.Handshaker$1.run(Handshaker.java:806)
            at java.security.AccessController.doPrivileged(Native Method)
            at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1299)
            at weblogic.socket.JSSEFilterImpl.doTasks(JSSEFilterImpl.java:186)
            at weblogic.socket.JSSEFilterImpl.doHandshake(JSSEFilterImpl.java:95)
            at weblogic.socket.JSSEFilterImpl.doHandshake(JSSEFilterImpl.java:64)
            at weblogic.socket.JSSEFilterImpl.isMessageComplete(JSSEFilterImpl.java:282)
            at weblogic.socket.SocketMuxer.readReadySocketOnce(SocketMuxer.java:962)
            at weblogic.socket.SocketMuxer.readReadySocket(SocketMuxer.java:889)
            at weblogic.socket.JavaSocketMuxer.processSockets(JavaSocketMuxer.java:339)
            at weblogic.socket.SocketReaderRequest.run(SocketReaderRequest.java:29)
            at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
            at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
    >
    <26 Nov, 2014 7:29:42 PM IST> <Debug> <SecuritySSL> <BEA-000000> <[Thread[[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)',5,Pooled Threads]]weblogic.security.SSL.jsseada
    pter: SSLENGINE: SSLEngine.closeOutbound(): value=closed.>
    <26 Nov, 2014 7:29:42 PM IST> <Debug> <SecuritySSL> <BEA-000000> <[Thread[[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)',5,Pooled Threads]]weblogic.security.SSL.jsseada
    pter: SSLENGINE: SSLEngine.wrap(ByteBuffer,ByteBuffer) called: result=Status = CLOSED HandshakeStatus = NEED_UNWRAP
    bytesConsumed = 0 bytesProduced = 7.>
    Regards
    PPK

    Hi gimbal2,
    I've already googled the error but I didn't find anything useful: however I will try again.
    Thank you,
    AndreaWeird, because the first result I got was a highly informative stackoverflow post. I think you need to blame more what you were looking for: you were looking for a cut, copy and paste solution in stead of searching for information to understand the problem and solve it. But that is conjecture on my part, feel free to ignore me.I read that stackoverflow post (about forcing the RSA algorithm instead of the default DSA) some days ago but didn't fully understant it; now I first generated a keystore with the RSA algorithm then I imported the certificate and now it almost works, I.E. now warns me about the certificate not being trusted while it should (I can see the issuer in the Trusted Root CA of the browser). To recap:
    - in every browser at the customer sites there are two certificates installed (one intermediate and one wildcard)
    - the customer can use a Web MS application and has imported a certificate in IIS, so I exported this certificate and imported it in the keystore but I get the error about the CA not being trusted.
    So now it's not working and I will try to import the intermediate and the wildcard certificate (I think this could solve). I will post the result.
    Thank you gimbal2.

  • WSMAN CredSSP TLS 1.2 support and cipher suites

    Hi all,
    The protocol document [MS-CSSP] explains the first base64 encoded token send in the authenticate from the client to the server is a TLS Client Hello. The response is a ServerHello.
    The diagram in section 4 'Protocol Examples' of the document indicates the ServerHello has a cipher suite of TLS_RSA_WITH_RC_128_SHA. The TLS version and cipher suites are not mentioned anywhere else in the document.
    So lets take a look a network packet capture of a CredSSP authentication between a winrm.exe client and a Windows 2008 R2 server. I have base64 decoded the contents of the CredSSP Authorization headers,
    The ClientHello bytes (without the extensions) send by my client are:
    16 03 01 00 6B 01 00 00  67 03 01 54 DB 64 77 22 
    A2 1C A3 23 93 61 3B 00  1B DE 1C 6D 42 34 94 8D 
    1D 44 2C 64 8B 42 AC 41  B4 E2 DE 00 00 14 00 2F 
    00 35 00 0A C0 13 C0 14  C0 09 C0 0A 00 32 00 38 
    00 13 01 00 00 2A FF 01  00 01 00 00 00 00 11 00 
    0F 00 00 0C
    Decoding this we can see that this is TLS 1.0 {03, 01}, taking a look at the ciphers we have:
    TLS_RSA_WITH_AES_128_CBC_SHA 0x00 0x2F
    TLS_RSA_WITH_AES_256_CBC_SHA 0x00 0x35
    TLS_RSA_WITH_3DES_EDE_CBC_SHA 0x00,0x0A
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 0xC0,0x13
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 0xC0,0x14
    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 0xC0,0x09
    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 0xC0,0x0A
    TLS_DHE_DSS_WITH_AES_128_CBC_SHA 0x00,0x32
    TLS_DHE_DSS_WITH_AES_256_CBC_SHA 0x00,0x38
    TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA 0x00,0x13
    Now lets look at the ServerHello (without the extensions)
    16 03 01 02 3C 02 00 00  4D 03 01 54 DB 64 78 73 
    92 C6 86 A3 F8 FF 3D D4  36 77 C0 FC 80 61 3F 4D 
    8C BC 60 CD BC 4D B1 1C  4A CF 0A 20 DA 14 00 00 
    38 11 DB C9 1C D0 8C 76  E7 A0 B9 F7 A5 D4 94 DF 
    8B 83 38 B3 FF EB AA 65  EB 23 03 0A 00 2F 00 00 
    05 FF 01 00 01 00 0B 00  01 E3 00 01 E0 00 01 DD 
    30 82 01 D9 30 82 01 42  A0 03 02 01 02 02 10 44 
    56 23 69 44 ED 93 85 43  DF B8 DF E3 75 DC A7 30 
    0D 06 09 2A 86 48 86 F7  0D 01 01 05 05 00 30 2B 
    31 29 30 27 06 03 55 04  03 13 20 
    The server responds with TLS 1.0 and selected cipher (0x00 0x2F)
    TLS_RSA_WITH_AES_128_CBC_SHA
    Based on this I created a WSMan CredSSP client using Python and OpenSSL and configured it to use TLS 1.2. I found the Windows server always responded with TLS 1.0. So, I configured my OpenSSL client for TLS 1.0 and set the cipherlist to AES128-SHA (like winrs.exe).
    The CredSSP TLS handshake completes, but the first ASN.1 encoded TSRequest token (containing an NTLM negotiate token) is rejected. However, if my openssl cipherlist is set to RC4, the TSRequest token is accepted and authentication is successful.
    This raises several questions:
    1. Despite sending a TLS 1.2 ClientHello the WSMan CredSSP Server always responded with TLS 1.0 ServerHello. A number of security experts consider this version effectivly broken. Does CredSSP support TLS 1.2?
    2. I can authenticate with CredSSP using openssl 'RC4' cipher suites - but not with AES128-SHA suites. Are suites besides RC4 supported (winrs.exe appears to use AES).
    Thanks
    Ian

    Forum Update:
    I can now answer my 2nd question. The reason CredSSP is rejecting my TSRequest token when using AES128-SHA is because this ciphersuite is using CBC.
    Some years ago OpenSSL added empty fragments to SSLv3 and TLS 1.0 packets to address a potential security vulnerability. These empty fragments are not compatible with Microsofts SChannel implementation so Windows is unable to decrypt the data. OpenSSL added
    a compatibility flag SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS (0x00000800L) that must be set in the openssl client's context options to address this issue with Microsofts implementation. Once I set this option my python openssl client successfully authenticated
    with a Windows 2012 R2 server using ECDHE-RSA-AES256-SHA - much better.
    Question 1 is still unanswered. Is TLS 1.2 with CredSSP supported?

  • Setting cipher suites for ssl sockets

    Hi
    While setting cipher suites for ssl serversocket and socket, there may be lot of stream ciphers and block ciphers in the list. (also there may or may not be anonymous cipher suites).
    How does the ssl socket decide which cipher suite to use?
    Sorry for this newbie question.
    Thank you.

    Have you read the JSSE Reference Guide? It has a really good description of how the SSL handshake works. Part of the "Client Hello" step includes sending all the cipher-suites the client has enabled. The server picks the "best" of that set, that the server also supports, and sends it back as part of the "Server Hello". Both sides switch to that set.
    Now, what "best" means isn't defined. I'm not sure what criteria the server uses to determine that. Maybe someone else reading the thread can chime in.
    Grant

  • How to locate and configure SSL cipher suites

    hi all,
    i wanted to knw how Ciphersuites that are used in SSL Connections are picked up by the JVM or whoever is responsible for establishing the connection at lower level. I mean there are methods in SSLSocketFactory, HttpsURLConnection named getEnabledCipherSuites(). I was just wondering where these default cipher suites are picked up. Is there any configuration file or some setting where we can add our own cipher suite to the list?
    Please advice.
    Thanks in advance :)
    Arun

    hi,
    As already we have discussed this, we can set the ciphersuite used in the SSLConnection using SSLSocket.setEnabledCIpherSuite() function only. And getSupportedCipherSuites() function returns the list of cipher suites that are supported by the connection.
    But i want to set ciphersuite in SSLConnection using HttpsURLConnection. Under this class (HttpsURLConnection) there is no such method where u can specify the ciphersuite.
    So i am trying to find out when an SSL connection is setup from where does the JVM loads the cipher suites? I checked the All the basic classes in javax.net.ssl package and all contain the methods as abstract. So if anybody has any idea regarding where these supported cipher suites are located in jdk please let me knw.
    Thanks in advance :)
    Arun

  • How to add a Cipher Suite using RSA 1024 algorithm to the 'SSL Cipher Suite Order' GPO

    Following a VA test the Default Domain GPO has been set to enable the SSL Cipher Suite Order.  Following the change Symantec Endpoint Protection Manager doesn't work properly as the the Home, Monitors and Reports pages are blank and an Schannel error is
    logged in the SEPM server's event log.
    I have spoken to Symantec and I have been told that we need to allow the RSA 1024 bit algorithm but they can't tell me which cipher suite this would be.  I have looked in the GPO setting and can't see an RSA 1024 suite but have found some in this article:
    http://tools.ietf.org/html/draft-ietf-tls-56-bit-ciphersuites-01
    I want to know how to add an additional cipher suite into the setting safely.  Am I able to just add the suite into the GPO setting (eg TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA) or do I need to do anything else beforehand?
    If anyone has any advice regarding this or cipher suite orders and troubleshooting SSL problems it would be much appreciated,
    Thanks
    Chris

    Hi Chris,
    Based on my research, RSA_EXPORT1024_DES_CBC_SHA is a previous cipher suite, which is supported, you can enable it use
    SSL Cipher Suite Order policy setting under Administrative Templates\Network\SSL Configuration Settings.
    More information for you:
    TLS/SSL Cryptographic Enhancements
    http://technet.microsoft.com/en-us/library/cc766285(v=WS.10).aspx
    Best Regards,
    Amy

  • SSL cipher suites with v3

    Any way to adjust which SSL cipher suites are used with the messaging agent on version 3 of messenger? There are a few that are not compatible with our firewall and we need to disable them. It's keeping iOS clients from connecting.

    Palo Alto Networks firewall. We enforce SSL decryption on all traffic and any suite that uses Diffie-Hellman key exchange isn't supported. Has to be RSA key exchange.
    Originally Posted by ahidalgo
    Which SSL cipher suites are not compatible with your firewall, just curious. Whose firewall are you using?
    Al
    On 2/27/2015 at 9:26 PM, jarrodholder<[email protected]> wrote:
    Any way to adjust which SSL cipher suites are used with the messaging
    agent on version 3 of messenger? There are a few that are not
    compatible with our firewall and we need to disable them. It's keeping
    iOS clients from connecting.
    jarrodholder
    jarrodholder's Profile: https://forums.novell.com/member.php?userid=1616
    View this thread: https://forums.novell.com/showthread.php?t=482111

  • How can I control the list of cipher suites offered in the SSL Client Hello message? I want to forbid MD5 and RC4.

    How can I control the list of cipher suites offered in the SSL Client Hello message?
    I want to limit my browser to negotiating strong cipher suites. I'd like to forbid DES, MD5 and RC4.

    Set the related SSL3 prefs to false on the about:config page (Filter: security.ssl3.).
    *http://kb.mozillazine.org/about:config

  • How to specify a cipher suit used between plugin and weblogic server?

    I install Weblogic8.1 SP3 which supports for strong cipher suits, and config an apache 2.50 server as an front end.
    I config appache to use 2 way SSL with browser and wls one way SSL with apache plugin. Then config apache to forward client certs to WLS. now the problem is, I can see that the SSL connection between browser and apache uses a strong cipher suit('SSL_RSA_WITH_RC4_128_MD5'), but the ssl connection bwtween apache plugin and WLS uses a weak cipher suit('SSL_RSA_EXPORT_WITH_RC4_40_MD5'), with the SnoopServlet, although I use the mod_wl128_20.so module. How can I increase the cipher strength of SSL between WLS and it's apache plugin?
    Thanks in advance.
    Best
    Regards
    Jean

    Hello Gunaseelan,
    This is not possible because WLS 6.1 needs a config.xml file, exactly this
    name, to start.
    What you can do is to define a recovery domain, called myrecovery_domain for
    instance, and put the config_recovery.xml, renamed "config.xml".
    Hope this helps,
    Ludovic.
    Developer Relations Engineer
    BEA Support.
    "Gunaseelan Venkateswaran" <[email protected]> a écrit dans le message
    news: 3cd6a324$[email protected]..
    >
    Hi,
    I have 2 weblogic startup scripts (startWebLogic.sh and
    startWebLogic_recovery.sh) for the same domain.
    startWebLogic.sh uses config.xml file.
    I would like to use config_recovery.xml as the configuration file forstartWebLogic_recovery.sh
    >
    >
    How would I do this ?
    I am using WebLogic Server 6.1 on SunOS 5.8 / HP-UX 11.0.
    Appreciate any help.
    Regards
    Gunaseelan Venkateswaran

  • Transport Layer Security Cipher Suites in Safari

    Does anyone happen to know which Transport Layer Security (TLS) Cipher Suites Safari 4 supports?
    Specifically, does it support the Elliptic Curve suites from RFC 4492? How about AES?
    Thanks!

    Hi,
    i`m only aware that SSL is supported. If you need an official Statement i would recommend you open an OSS Message with the SAP Support.
    Regards
    -Seb.

  • Security Scan found Weak and Medium strength ciphers port 389&636

    After a recent security scan on one of our Apple Servers running 10.9.5 (Mavericks) it has reported weak and medium strength ciphers on port 389&636 and also that SSLv2 and SSLv3 is enabled. The Server is running Profile Manager and therefore also Open Directory although we are not really using Open Directory for authentication as we have AD within the organisation.
    My question is how can I modify Open Directory to only use HIGH ciphers and not MEDIUM or LOW? I have found the httpd-ssl.conf file but that is only listening on port 443. I have also found the slapd.conf but can't see where I would make the change.
    Any help would be greatly appreciated.
    Thanks

    So would you believe it I've managed to get it working. I wanted to see if Yosemite suffered from the same 'issues' that Mavericks does with SSLv2 & SSLv3 support. Also the weak ciphers bsing used. Well they scannex that server and found exactly the same 'issues' as before. So I started working on it this morning editing slapd.conf, slapd.conf.default, slapd_macosxserver.conf and apache-ssl.conf it might sound overkill but I thought what the ****. I added the following lines to all conf files:
    SSLProtocol ALL -SSLv2
    SSLCipherSuite HIGH:!SSLv2:!ADH:!aNULL:!eNULL:!NULL
    TLSCipherSuite HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
    and and it worked. Passed the scan with flying colours however might need to mod SLLv3 to keep theM happy.
    I need to replicate this on a Mavericks Server so hope the jist is the same.
    thanks for the advice Linc.

Maybe you are looking for

  • End Routine Result Package Output not as expected

    I have written an end routine that is based on a one to one mapping of two DSOs A to B, i calculate the value of two key figures which populate the fields, keyfig1 (a total of the amt_field per order) and keyfig2 (a % of the amt_field of keyfig1) . M

  • Report for delivery costs

    Hi, 1. I need to have a report for the paid delivey costs(planned and unplanned) for the given pos. 2. Is there any std transaction which can give the list of fast moving items based on movement types? Please help me, it is very urgent. Your help is

  • Clicking on Icon

    Icon appears on too;bar but after clicking on icon, email doesn't appear on monitor. I had this problem a month ago with dictionary after installing update downloads from Apple. Never bothered to check into it but now the same thing has happened with

  • Email Notification send from previous setting although it has been deleted.

    Hello, Current monitoring schedule for Daily Monitor Open Item (Vendor) are 3 times a day at 1700, 1730 and 1800. However, we receive a notification for this monitoring activity at 0600 with a differents in (1) email header, (2) Monitoring ID and (3)

  • No Sound even though it's recogni

    I have a Sound Blaster Audigy which in control panel says b400. Anyway I installed the latest drivers and clicked restart. when i restarted i heard the restart sound and when the computer started up i heard that sound. but after that no sounds played