SSL Ciphers
Hi, I'm moving an application from Apache/CGI to WebLogic 9.2. I need to restrict the protocol and set of ciphers used by the server. That is no null ciphers, no exported ciphers, etc., only high ciphers: In Apache, I can do something similar to the following:
SSLProtocol –ALL SSLv3 TLSv1
SSLCipherSuite –ALL:AES256-SHA:AES128-SHA:DES-CBC3-SHA
How can do the same in WebLogic 9.2?
When I use the ciphersuite element of the config.xml file via the SSL element, the server doesn't load, and it complains that I should use inbound/outbound validation certificates. When I specify weblogic.security.SSL.allowUnencryptedNullCipher=false, the log records that 23 default ciphersuites have been loaded. How can I control what the server loads? Thanks for any help.
It appears the method for configuring has changed:
Prior to 9.x
<server>
<name>MyServer</name>
<ssl>
<name>MyServer</name>
<enabled>true</enabled>
*<ciphersuite>TLS_RSA_WITH_AES_256_CBC_SHA</ciphersuite>*
*<ciphersuite>TLS_RSA_WITH_AES_128_CBC_SHA</ciphersuite>*
*<ciphersuite>TLS_RSA_WITH_3DES_EDE_CBC_SHA</ciphersuite>* ...
</ssl>
</server>
Similar Messages
-
Remote host supports the use of SSL ciphers that offer weak encryption
Dear All,
Our Internal security audit suggests to avoid the use of Week SSL ciphers for our SAP PI 7.0 servers.
We have followed the SAP note 510007 - Setting up SSL on Web Application Server ABAP
as mentioned in the point 6 we have added below parameter in the instance profile of application server and restarted our server but still the issue is not resoved.
ssl/ciphersuites=MEDIUM:HIGH:EXPORT:!LOW:!eNULL
Clients are accessing our PI server through SAP Web dispatcher.
Kindly suggest the action to be taken to resolve the issue.
Please find the below comment from Audit.
The remote host supports the use of SSL ciphers that offer weak encryption.
Note: This is considerably easier to exploit if the attacker is on the same physical network
Regards,
Lalitha.Hi Jim,
The remote host is the PI(7.0) server.
PI server profile
FN_JSTART = jcontrol$(FT_EXE)
ssl/ciphersuites = HIGH:MEDIUM:!mMD5
jstartup/recorder = java -classpath ../j2ee/cluster/bootstrap/launcher.jar com.sap.engine.offline.OfflineToolStart com.sap.engine.flightrecorder.core.Collector ../j2ee/
cluster/bootstrap -node %nodeID% %startTime% -bz $(DIR_GLOBAL) âexitcode %exitcode%
login/accept_sso2_ticket = 1
SAPSYSTEMNAME = APQ
SAPSYSTEM = 00
INSTANCE_NAME = DVEBMGS00
DIR_CT_RUN = $(DIR_EXE_ROOT)/run
DIR_EXECUTABLE = $(DIR_INSTANCE)/exe
jstartup/trimming_properties = off
jstartup/protocol = on
jstartup/vm/home = /opt/IBMJava2-amd64-142
jstartup/max_caches = 500
jstartup/release = 700
jstartup/instance_properties = $(jstartup/j2ee_properties):$(jstartup/sdm_properties)
j2ee/dbdriver = /oracle/client/10x_64/instantclient/ojdbc14.jar
PHYS_MEMSIZE = 512
exe/saposcol = $(DIR_CT_RUN)/saposcol
rdisp/wp_no_dia = 10
rdisp/wp_no_btc = 3
exe/icmbnd = $(DIR_CT_RUN)/icmbnd
rdisp/j2ee_start_control = 1
rdisp/j2ee_start = 1
rdisp/j2ee_libpath = $(DIR_EXECUTABLE)
exe/j2ee = $(DIR_EXECUTABLE)/jcontrol$(FT_EXE)
rdisp/j2ee_timeout = 1800
rdisp/frfc_fallback = on
icm/HTTP/j2ee_0 = PREFIX=/,HOST=localhost,CONN=0-500,PORT=5$$00
icm/server_port_0 = PROT=HTTP,PORT=80$$
# SAP Messaging Service parameters are set in the DEFAULT.PFL
ms/server_port_0 = PROT=HTTP,PORT=81$$
rdisp/wp_no_enq = 1
rdisp/wp_no_vb = 1
rdisp/wp_no_vb2 = 1
rdisp/wp_no_spo = 1
# Jcontrol: Migrated Profile Parameter
# create at Wed Mar 25 20:20:02 2009
j2ee/instance_id = ID0079698
Web dispatcher profile
SAPSYSTEMNAME = WD0
SAPSYSTEM = 00
INSTANCE_NAME = W00
DIR_CT_RUN = $(DIR_EXE_ROOT)/run
DIR_EXECUTABLE = $(DIR_CT_RUN)
wdisp/shm_attach_mode = 6
# Accesssability of Message Server
#rdisp/mshost = asapq00.b.com
#ms/http_port = 8100
#ms/https_port = 8101
wdisp/system_0 = MSHOST=asapq00.b.com, MSPORT=8100, SID=APQ
# Configuration for medium scenario
icm/max_conn = 16350
icm/max_sockets = 32768
wdisp/HTTPS/max_pooled_con = 16350
icm/req_queue_len = 8000
icm/min_threads = 100
icm/max_threads = 500
mpi/total_size_MB = 700
mpi/buffer_size = 32768
mpi/max_pipes = 21000
wdisp/HTTP/max_pooled_con = 8192
wdisp/HTTPS/max_pooled_con = 8192
# SAP Web Dispatcher Ports
icm/server_port_0 = PROT=HTTP,PORT=80,EXTBIND=1
icm/server_port_1 = PROT=ROUTER,PORT=443,EXTBIND=1
#icm/host_name_full= asapq00.b.com
icm/host_name_full= qtyh2h.k.co.in
icm/HTTP/admin_0 = PREFIX=/sap/wdisp/admin,DOCROOT=./admin,AUTHFILE=/sapmnt/WD0/global/security/data/icmauth.txt
ssl/ssl_lib=/usr/sap/WD0/W00/sec/libsapcrypto.so
wdisp/HTTPS/dest_logon_group = PUBLIC
wdisp/HTTPS/max_client_ip_entries = 100000
wdisp/HTTPS/sticky_mask = 255.255.255.0
#Additional Parameters
wdisp/add_client_protocol_header = true
wdisp/auto_refresh = 120
wdisp/max_servers = 100
wdisp/handle_webdisp_ap_header = 1
#Registering SAP Web Dispatcher in the SLD
#wdisp/system_0 = HOST=asapq00.b.com, PORT=8100, SID=APQ, NR=00
#Parameter to avoid week SSL ciphers
ssl/ciphersuites=HIGH:MEDIUM:!mMD5
Regards,
Lalitha -
Weak SSL ciphers on Unity 5.0 server during a security scan
Hello,
We received informaition from our security team when they did a scan on our Unity server...."the remote host supports the use of SSL ciphers that offer weak encryption or no encryption at all" I have found some articles on the web (Microsoft) to edit the registry key so that nothing lower than 128 bit encryption is accepted. I am looking for a Cisco paper to agree or disagree with this...can anyone help?
Thank you.So, this isn't an uncommon security alert when you have your system scanned. One thing to keep in mind is the placement of your server and who/what it is accessed for. In any case, you're not likely to find a Cisco doc that references this specifically. Instead, if you really want to move forward with making the appropriate registry changes then you'll want to open a TAC case and find out if this is supported or not. In terms of further info on your issue:
There is a McAfee article about making websites more secure. It is here: http://www.codeproject.com/KB/aspnet/MakeWebsiteMcAfeeSecured.aspx
Your alert is referenced as follows:
Vulnerability Name: Weak Supported SSL Ciphers Suites
Description
The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all. This vulnerability is valid for all SSL/TLS sessions that are passing sensitive information.
PCI defines strong cryptography, for secret key based systems, as anything above 80 bit encryption.
Solution
The solution to this is very simple but requires registry tweak again. Following are the steps:
Click Start, click Run, type regedt32 or type regedit, and then click OK.
In Registry Editor, locate the following registry key:HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders
\SCHANNEL\Ciphers
Under the Cipher key, there are several Ciphers.
Locate the ciphers which have encryption less than 128 bit.
Create DWORD values named Enabled and Value 0 for each of them, just as the previous case.
For convenience, I have marked them with red arrows in the picture above.
System Restart is NOT required for this.
Now the server is secured.
The above mentioned security issues are the major ones that most of the systems have. However other than this, there may be some easy and minor vulnerabilities like:
Using robots.txt in the pages. (Generally inserted by Web Marketing team to track user hit).
Directory Scanner: Common directories are revealed. This can be resolved by URL rewriting and setting “Directory Browsing” off.
Note: For the above vulnerabilities, minor registry tweaks will be necessary. So it is strongly recommended to back up the registry before doing anything. By any chance if something gets messed up, just delete the SCHANNEL key and restart the machine, the key will be auto-generated.
Hailey
Please rate helpful posts! -
How To Restrict SSL Ciphers for iCal and Address Book
Does anyone know how to set the allowed SSL ciphers for the Address Book and iCal services on Snow Leopard Server?
Hi,
There's a dedicated forum for Server customers.
Good luck,
S. -
Hello experts,
I have a fundamental SSL question - what I want to know is whether the ciphers and algorithms mentioned in certificates are used in SSL communication or not ? For example, in a sample certifcate, I can see Signature Algo=sha1RSA, Signature hash=SHA1, public key=RSA Encryption etc. I want to know whether any of these ciphers/algos are used while establishing the SSL connection. At what stage, which one of these from the certificate is used ? Or is it that the SSL negotiation does not involve these algos and only selects from what the platform supports.For example, in a sample certifcate, I can see Signature Algo=sha1RSA, Signature hash=SHA1, public key=RSA Encryption etc. I want to know whether any of these ciphers/algos are used while establishing the SSL connection.The certificate's own signature is checked on receipt, and the server sends another digital signature signed with its own private key which is also verified by the client, which proves that the server really owns that certificate. After that, the two sides negotiate a symmetric session key. Under some cipher suites that negotation can also involve the server certificate. Once the session key is established the certificates and their algorithms and keytypes play no further role.
As it says in RFC 2246. -
Securing DSEE - configuring CACAO SSL ciphers?
Is there -any- possible way to set the SSL cipher suites that cacao uses? I've tried nearly everything I can think of, and no matter what it does not make a difference.
I've already managed to get the actual LDAP SSL port running on high strength ciphers, the Java webconsole (port 6789) on high strength ciphers.. the only thing left is cacao on ports 11163, and 11164 (commandstream and the RMI registry)
Anyone?Just an update, opened a ticket and got this response.
<quote>
Cacao uses the default set of ciphers offered by the Java Virtual Machine for TLSv3, as per the standard, which means that it supports a list of ciphers, the weakest of which is DES which is what triggers the scanner's alert.
Whilst it therefore supports the weaker encryption for clients that specifically request it, the Java client libraries also use the same set of ciphers offered by the Java Virtual Machine, TLSv3 negotiation always choses the strongest cipher suite, and so this supported cipher is not used.
As such, there will never be any communication performed by the product using the weaker cipher suites, and this can be considered a 'false positive' in the automated detection of "supported" cipher suites - supported, yes -but used - no.
I hope that this can help explain why the automated scanner - which is deliberately trying to establish a connection with the DES cipher to see if it can - is reporting the false positive.
</quote>
Hope this helps others! -
How to change SSL ciphers on Oracle 9i?
Setup - Windows 2003, Oracle 9.2.0.8 with Apache 1.3
Vulnerability scan detected weak ciphers and MD5 SSL certificate installed on the server. After a looking around the server, the MD5 SSL certificate is Oracle Demo CA that gets installed in the ORACLE_HOME\Apache\conf\ssl.crt. This certificate is being used by the Oracle HTTP server. I need two things -
- Disable SSL 2.0 and enable SSL 3.0/TLS 1.0 on Oracle Apache HTTP server
- Delete the ssl.cert with MD5 and reissue with a stronger hashing method like SHA-256, SHA-512.Hi,
I am aware about the option of change the current schema with current_schema settings but never heard that one can change teh database too.Some options that striked immediately are
1) Connect with the same user to the other database with a different TNSnames entry.
2) Stay in the database and use Db links to connect to the other database.
Sorry never heard of this thing myself.
Aman.... -
Vulnerabilities in SSL Ciphers Suites Discovered - WCS bug CSCsx53619
Hi Guys,
There is a pending issues with WCS when our AUDIT scan the WCS server running in WINDOWS 2003 the HTTPS services is running with a weak ciphers and i open a case to CISCO and provide me a bug ID CSCsx53619, WCS currently using a weak ciphers that requires to be improve and this needs to be escalated to the developer.
regards
CesarHi Surendra,
Any target date of the release, like next month or Q1 of 2011.
Thanks
Cesar -
SSL/TLS ciphers of an SMA (M-series) appliance
So SMA does not include sslconfig CLI command. We cannot reonfigure SSL/TLS ciphers as we do for ESA (C-series) appliances. Once I got instructions from TAC support telling, that I must download config file from SMA, edit those cipher parameters manually and then upload it back to the appliance. Is this still the only way to do it with SMA 8.1.1, 8.30 and 8.3.5?
If we download the config file and do the changes, can we use sslconfig CLI command and there VERIFY subcommand of an ESA appliance to verify that a planned cipher set would surely work in a SMA appliance? I think I might be interested in cipher set
MEDIUM:HIGH:-SSLv2:-aNULL:@STRENGTH
Is the proper parameter to be changed named ssl_gui_ciphers? Does it cover only the management web GUI or also spam quarantine web GUI? Not interested in STARTTLS SMTP ciphers at this point. As s default, those SSL ciphers are set as:
<ssl>
<ssl_inbound_method>sslv3tlsv1</ssl_inbound_method>
<ssl_inbound_ciphers>RC4-SHA:RC4-MD5:ALL</ssl_inbound_ciphers>
<ssl_outbound_method>sslv3tlsv1</ssl_outbound_method>
<ssl_outbound_ciphers>RC4-SHA:RC4-MD5:ALL</ssl_outbound_ciphers>
<ssl_gui_method>sslv3tlsv1</ssl_gui_method>
<ssl_gui_ciphers>RC4-SHA:RC4-MD5:ALL</ssl_gui_ciphers>
</ssl>
After fixing a locally downloaded config file and loading it back to SMA, will the config file load require a reboot? Are our safelists/blocklists, logs, message tracking, scheduled reports, spam quarantine content safe and we will not lost anything? So all we plan to change in config file, are the cipher settings.
Testing a SMA spam quarantine https service with Qualys Inc. SSL labs test service opened my eyes on this case:
https://www.ssllabs.com/ssltest/analyze.htmlI believe you already got an answer back on this with the direct support case that was opened... but just to verify and follow-up on the forums side... without FIPS enabled, you can run sslconfig > verify and get the following output for FIPS:-aNULL
[]> FIPS:-aNULL
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1
AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
-Robert -
Cisco IOS SSL VPN Not Working - Internet Explorer
Hi All,
I seem to be having a strange SSL VPN issue. I have a Cisco 877 router with c870-advsecurityk9-mz.124-24.T4.bin and I cannot get the SSL VPN (Web VPN) working with Internet Explorer (tried both IE8 on XP and IE9 on Windows 7). Whenever I browse to https://x.x.x.x, I get "Internet Explorer Cannot Display The Webpage". It sort of works with Chrome (I can get the webpage and login, but I can't start the thin client, when I click on Start, nothing happens). It only seems to work with Firefox. It seems quite similar to this issue with the ASAs - http://www.infoworld.com/d/applications/cisco-asa-users-cant-use-ssl-vpns-ie-8-901
Below is the config snippet:
username vpntest password XXXXX
aaa authentication login default local
crypto pki trustpoint TP-self-signed-1873082433
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1873082433
revocation-check none
rsakeypair TP-self-signed-1873082433
crypto pki certificate chain TP-self-signed-1873082433
certificate self-signed 01
--- omitted ---
quit
webvpn gateway SSLVPN
hostname Router
ip address X.X.X.X port 443
ssl encryption aes-sha1
ssl trustpoint TP-self-signed-1873082433
inservice
webvpn context SSLVPN
title "Blah Blah"
ssl authenticate verify all
login-message "Enter the magic words..."
port-forward "PortForwardList"
local-port 33389 remote-server "10.0.1.3" remote-port 3389 description "RDP"
policy group SSL-Policy
port-forward "PortForwardList" auto-download
default-group-policy SSL-Policy
gateway SSLVPN
max-users 3
inservice
I've tried:
*Enabling SSL 2.0 in IE
*Adding the site to the Trusted Sites in IE
*Adding it to the list of sites allowed to use Cookies
At a loss to figure this out. Has anyone else come across this before? Considering the Cisco website itself shows an example using IE (http://www.cisco.com/en/US/products/ps6496/products_configuration_example09186a008072aa61.shtml), surely it should work in IE you'd think?
ThanksHi,
I would check where exactly it is failing, either in the ssl connection itself or something after that. The best way to do that is run a wireshark capture when you try to access the page using IE. You can compare this with the one with Mozilla too just to confirm the ssl is working fine.
Also can you try with different SSL ciphers as one difference between browsers is the ciphers they use. 3des should be a good option to try. -
SSL Cipher changes in MS15-031 - Is RC4 killed or not?
Hi!
I'm a bit confused of the actual impact of installing MS15-031.
On the "workarounds" part of the kb article, MS presents a customer with a list of SSL Ciphers that can be manually imported to Computers,
to fix the FREAK issue. In this list, all RC4 ciphers are removed, as well as many others (like RSA/SHA1 based AES ciphers).
I installed the update kb3046049 on a test Computer and sniffed the client hello - packets, and to my surprise RC4 and SHA1/RSA ciphers are still there?
So is it so that the actual impact of the kb3046049 is different than the impact of the workaround suggested?
How the TLS handshake is modified so that downgrade no longer happens, or is the fix done simply by disallowing unsecure ciphers.
In case that the kb article just removes unsecure Ciphers, what ciphers does it remove since the ones that are removed by the suggested workaround, are still in use after applying the patch?
So I'm looking for painfully detailed technical explanation. :)
Antti Laatikainen IT Security Manager Santen EuropeHi Antti,
>>So is it so that the actual impact of the kb3046049 is different than the impact of the workaround suggested?
I can't find the official document about your question.
From my point of view, it's different.
In the workaround, the ciphers which may cause the vulnerability are disabled.
When we install the KB3046049, instead of disabling these ciphers, they are re-coded in the new Schannel.dll file to avoid the vulnerability.
Best Regards.
Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected] -
Securing CACAO - SSL cipher strength
Does anyone know if is possible to configure the SSL ciphers used by CACAO?
I've got the java web console configured (after a long painful trial and error process)
Is this even the right place to ask this question?in
/var/webconsole/domains/console/conf/server.xmlfind the relevant "Connector" object and add
cipher="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, T
LS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"found this instruction here:
https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=1225
Edited by: Eleni on Feb 18, 2010 2:33 AM -
Hi all,
i'm new to MIDP and SSL, so this might be a dumb question.
Does MIDP 2.0 support the following SSL ciphers (i guess is what they are):
SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
i ask because i'm trying to connect to a server that uses these, and i keep getting an IOException from Connector.open(..)
Thanks in advance,
Sheadomaybe in need to be more specific?
here's my code:
SecureConnection c = (SecureConnection)Connector.open( "ssl://...:5001" );
here's the exception i get:
java.io.IOException: Alert (2,40)
at com.sun.midp.ssl.Record.rdRec(+228)
at com.sun.midp.ssl.Handshake.getNextMsg(+17)
at com.sun.midp.ssl.Handshake.rcvSrvrHello(+5)
at com.sun.midp.ssl.Handshake.doHandShake(+29)
at com.sun.midp.ssl.SSLStreamConnection.<init>(+157)
at com.sun.midp.io.j2me.ssl.Protocol.openPrim(+218)
at javax.microedition.io.Connector.openPrim(+121)
at javax.microedition.io.Connector.open(+15)
at javax.microedition.io.Connector.open(+6)
at javax.microedition.io.Connector.open(+5)
at Practice.connect(+12)
at Practice.access$000(+4)
at Practice$1.run(+7)
is this a bug? -
128 bit encryption is no longer a real security deal. There are known attacks on RC4 and there is a warning from NIST to do not longer use it in a new product.
Firefox uses an internal list on prefered cipher suites. Why does firefox do not request for 256 bit encryption as default (AES and Camellia) and in a second step, if negotiation with an outdated server fails, fall back to 128 bit encryption? I know the user can block 128bit from about:config, but why is such an insecure and outdated SSL encryption option the default behaviour?You can disable the 128 bit RC4 ciphers by setting the related security.ssl3.* prefs to false.<br />
If you need to visit a server that only works with an 128 cipher suite then you can enable one or two 128 SSL ciphers.<br />
Note that some servers host CSS files on such servers with older server software.
*security.ssl3.rsa_rc4_128_md5
*security.ssl3.rsa_rc4_128_sha
*http://kb.mozillazine.org/about:config -
Failing PCI Compliance Scan - SSL Weak...
Hello,
I currently use the WRVS4400n v2 (latest update) for my small business. I store and transmit data that contains credit card information and need to be PCI compliant. Regardless of which settings I change on the router, like turning off remote management, I keep failing the scan. ControlScan uses Nessus and the results are below (2 vulnerabilities).
I did some research and spent some time with Cisco Sales Chat and they recommended a ASA5500 only to realize that it too had the same vulnerabilities. I did more research and it seemed that the SA520w (I need wireless) would do it but I found a thread on this forum saying that a client who had the SA520w did not pass the scan failed due to SSL vulerability (need v3+ ?). The thread is at https://supportforums.cisco.com/thread./2060512
Question: What router/appliance should I use to be PCI compliant? Three has to be something, we're talking, this is Cisco.
Thank you in advance for your help,
Christophe
Threat ID: 126928
Details:
IP Address: XX.XXX.X.XXX
Host: XX.XXX.X.XXX
Path:
THREAT REFERENCE
Summary:
SSL Weak Cipher Suites Supported
Risk: High (3)
Type: Nessus
Port: 60443
Protocol: TCP
Threat ID: 126928
Information From Target:
Here is the list of weak SSL ciphers supported by the remote server :
Low Strength Ciphers (< 56-bit key)
SSLv2
EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
The fields above are :
{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}
Solution:
Reconfigure the affected application if possible to avoid use of weak
ciphers.Details:
The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all.
Threat ID: 142873
Details:
IP Address: XX.XXX.X.XXX
Host: XX.XXX.X.XXX
Path:
THREAT REFERENCE
Summary:
SSL Medium Strength Cipher Suites Supported
Risk: High (3)
Type: Nessus
Port: 60443
Protocol: TCP
Threat ID: 142873
Information From Target:
Here are the medium strength SSL ciphers supported by the remote server :
Medium Strength Ciphers (>= 56-bit and < 112-bit key)
SSLv2
DES-CBC-MD5 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5
SSLv3
DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1
TLSv1
DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1
The fields above are :
{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}
Solution:
Reconfigure the affected application if possible to avoid use of
medium strength ciphers.Details:
The remote host supports the use of SSL ciphers that offer medium strength encryption, which we currently regard as those with key lengths at least 56 bits and less than 112 bits.Chris,
As i understand right now none of the Small Business router are PCI compliance ever since PCI 3.0 was released. How you overcome this; you'll need to forward any ports you are failing on to a ghost IP.. Ghost ip (any ip address that isn 't being used) If you are using those ports , then you will lose that service as the router isn't PCI 3.0 compliant.
Jason
I do believe the ASA5505 are PCI 3.0 Compliant.
Maybe you are looking for
-
Hello guys .. I know that if i download the new software from the app store i can install it on my macbook air easily .. What i don't know is how to delete the previous OS (i want a install) and when i finish installing the new OS, how do i recover a
-
Hi, i'm usually quite responsible when it comes to making sure my system can coap with what i am asking of it, but i've ran into a problem that my computer just can't seem to get around, and means that photoshop cs4 will not start up. I've been makin
-
New line character when writing to a file
Hi, I am relatively new to the whole logging aspect in JDK1.4, so this is all what I am trying to do. I have setup a logger , using the standard FIleHandler. This handler is using a custom formatter which I have written. My formatter is very simple a
-
Hi, We have two company codes , one is India and one is in Malaysia which are using the same operational chart of accounts say ABC, when we are posting the transactional data we are using the company code currency. In case of country specific reporti
-
100% cpu utilisation SQL Dev 1.5 on XP
Using SQL Dev 1.5 prod version on XP on a P4 3ghz with 2gb of ram, SQL Dev executable regularly uses 100% cpu utilisation as reported by task manager. Also frequently stops responding - no screen redraw and I have to end task. Until recently I only h