SSL Ciphers

Hi, I'm moving an application from Apache/CGI to WebLogic 9.2. I need to restrict the protocol and set of ciphers used by the server. That is no null ciphers, no exported ciphers, etc., only high ciphers: In Apache, I can do something similar to the following:
SSLProtocol –ALL SSLv3 TLSv1
SSLCipherSuite –ALL:AES256-SHA:AES128-SHA:DES-CBC3-SHA
How can do the same in WebLogic 9.2?
When I use the ciphersuite element of the config.xml file via the SSL element, the server doesn't load, and it complains that I should use inbound/outbound validation certificates. When I specify weblogic.security.SSL.allowUnencryptedNullCipher=false, the log records that 23 default ciphersuites have been loaded. How can I control what the server loads? Thanks for any help.

It appears the method for configuring has changed:
Prior to 9.x
<server>
<name>MyServer</name>
<ssl>
<name>MyServer</name>
<enabled>true</enabled>
*<ciphersuite>TLS_RSA_WITH_AES_256_CBC_SHA</ciphersuite>*
*<ciphersuite>TLS_RSA_WITH_AES_128_CBC_SHA</ciphersuite>*
*<ciphersuite>TLS_RSA_WITH_3DES_EDE_CBC_SHA</ciphersuite>* ...
</ssl>
</server>

Similar Messages

  • Remote host supports the use of SSL ciphers that offer weak encryption

    Dear All,
    Our Internal security audit suggests to avoid the use of Week SSL ciphers for our SAP PI 7.0 servers.
    We have followed the SAP note 510007 - Setting up SSL on Web Application Server ABAP
    as mentioned in the point 6 we have added below parameter in the instance profile of application server  and restarted our server but still the issue is not resoved.
    ssl/ciphersuites=MEDIUM:HIGH:EXPORT:!LOW:!eNULL
    Clients are accessing our PI server through SAP Web dispatcher.
    Kindly suggest the action to be taken to resolve the issue.
    Please find the below comment from Audit.
    The remote host supports the use of SSL ciphers that offer weak encryption.
    Note: This is considerably easier to exploit if the attacker is on the same physical network
    Regards,
    Lalitha.

    Hi Jim,
    The remote host is the PI(7.0) server.
    PI server profile
    FN_JSTART = jcontrol$(FT_EXE)
    ssl/ciphersuites = HIGH:MEDIUM:!mMD5
    jstartup/recorder = java -classpath ../j2ee/cluster/bootstrap/launcher.jar com.sap.engine.offline.OfflineToolStart com.sap.engine.flightrecorder.core.Collector ../j2ee/
    cluster/bootstrap -node %nodeID% %startTime% -bz $(DIR_GLOBAL) âexitcode %exitcode%
    login/accept_sso2_ticket = 1
    SAPSYSTEMNAME = APQ
    SAPSYSTEM = 00
    INSTANCE_NAME = DVEBMGS00
    DIR_CT_RUN = $(DIR_EXE_ROOT)/run
    DIR_EXECUTABLE = $(DIR_INSTANCE)/exe
    jstartup/trimming_properties = off
    jstartup/protocol = on
    jstartup/vm/home = /opt/IBMJava2-amd64-142
    jstartup/max_caches = 500
    jstartup/release = 700
    jstartup/instance_properties = $(jstartup/j2ee_properties):$(jstartup/sdm_properties)
    j2ee/dbdriver = /oracle/client/10x_64/instantclient/ojdbc14.jar
    PHYS_MEMSIZE = 512
    exe/saposcol = $(DIR_CT_RUN)/saposcol
    rdisp/wp_no_dia = 10
    rdisp/wp_no_btc = 3
    exe/icmbnd = $(DIR_CT_RUN)/icmbnd
    rdisp/j2ee_start_control = 1
    rdisp/j2ee_start = 1
    rdisp/j2ee_libpath = $(DIR_EXECUTABLE)
    exe/j2ee = $(DIR_EXECUTABLE)/jcontrol$(FT_EXE)
    rdisp/j2ee_timeout = 1800
    rdisp/frfc_fallback = on
    icm/HTTP/j2ee_0 = PREFIX=/,HOST=localhost,CONN=0-500,PORT=5$$00
    icm/server_port_0 = PROT=HTTP,PORT=80$$
    # SAP Messaging Service parameters are set in the DEFAULT.PFL
    ms/server_port_0 = PROT=HTTP,PORT=81$$
    rdisp/wp_no_enq = 1
    rdisp/wp_no_vb = 1
    rdisp/wp_no_vb2 = 1
    rdisp/wp_no_spo = 1
    # Jcontrol: Migrated Profile Parameter
    #      create at Wed Mar 25 20:20:02 2009
    j2ee/instance_id = ID0079698
    Web dispatcher profile
    SAPSYSTEMNAME = WD0
    SAPSYSTEM = 00
    INSTANCE_NAME = W00
    DIR_CT_RUN = $(DIR_EXE_ROOT)/run
    DIR_EXECUTABLE = $(DIR_CT_RUN)
    wdisp/shm_attach_mode = 6
    # Accesssability of Message Server
    #rdisp/mshost = asapq00.b.com
    #ms/http_port = 8100
    #ms/https_port = 8101
    wdisp/system_0 = MSHOST=asapq00.b.com, MSPORT=8100, SID=APQ
    # Configuration for medium scenario
    icm/max_conn               = 16350
    icm/max_sockets            = 32768
    wdisp/HTTPS/max_pooled_con = 16350
    icm/req_queue_len          = 8000
    icm/min_threads            = 100
    icm/max_threads            = 500
    mpi/total_size_MB          = 700
    mpi/buffer_size            = 32768
    mpi/max_pipes              = 21000
    wdisp/HTTP/max_pooled_con  = 8192
    wdisp/HTTPS/max_pooled_con = 8192
    # SAP Web Dispatcher Ports
    icm/server_port_0 = PROT=HTTP,PORT=80,EXTBIND=1
    icm/server_port_1 = PROT=ROUTER,PORT=443,EXTBIND=1
    #icm/host_name_full= asapq00.b.com
    icm/host_name_full= qtyh2h.k.co.in
    icm/HTTP/admin_0 = PREFIX=/sap/wdisp/admin,DOCROOT=./admin,AUTHFILE=/sapmnt/WD0/global/security/data/icmauth.txt
    ssl/ssl_lib=/usr/sap/WD0/W00/sec/libsapcrypto.so
    wdisp/HTTPS/dest_logon_group = PUBLIC
    wdisp/HTTPS/max_client_ip_entries = 100000
    wdisp/HTTPS/sticky_mask = 255.255.255.0
    #Additional Parameters
    wdisp/add_client_protocol_header = true
    wdisp/auto_refresh = 120
    wdisp/max_servers = 100
    wdisp/handle_webdisp_ap_header = 1
    #Registering SAP Web Dispatcher in the SLD
    #wdisp/system_0 = HOST=asapq00.b.com, PORT=8100, SID=APQ, NR=00
    #Parameter to avoid week SSL ciphers
    ssl/ciphersuites=HIGH:MEDIUM:!mMD5
    Regards,
    Lalitha

  • Weak SSL ciphers on Unity 5.0 server during a security scan

    Hello,
    We received informaition from our security team when they did a scan on our Unity server...."the remote host supports the use of SSL ciphers that offer weak encryption or no encryption at all"  I have found some articles on the web (Microsoft) to edit the registry key so that nothing lower than 128 bit encryption is accepted. I am looking for a Cisco paper to agree or disagree with this...can anyone help?
    Thank you.

    So, this isn't an uncommon security alert when you have your system scanned.  One thing to keep in mind is the placement of your server and who/what it is accessed for.  In any case, you're not likely to find a Cisco doc that references this specifically.  Instead, if you really want to move forward with making the appropriate registry changes then you'll want to open a TAC case and find out if this is supported or not.  In terms of further info on your issue:
    There is a McAfee article about making websites more secure.  It is here:  http://www.codeproject.com/KB/aspnet/MakeWebsiteMcAfeeSecured.aspx
    Your alert is referenced as follows:
    Vulnerability Name:  Weak Supported SSL Ciphers Suites
    Description
    The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all. This vulnerability is valid for all SSL/TLS sessions that are passing sensitive information.
    PCI defines strong cryptography, for secret key based systems, as anything above 80 bit encryption.
    Solution
    The solution to this is very simple but requires registry tweak again. Following are the steps:
    Click Start, click Run, type regedt32 or type regedit, and then click OK.
    In Registry Editor, locate the following registry key:HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders
                                  \SCHANNEL\Ciphers
    Under the Cipher key, there are several Ciphers.
    Locate the ciphers which have encryption less than 128 bit.
    Create DWORD values named Enabled and Value 0 for each of them, just as the previous case.
    For convenience, I have marked them with red arrows in the picture above.
    System Restart is NOT required for this.
    Now the server is secured.
    The above mentioned security issues are the major ones that most of the systems have. However other than this, there may be some easy and minor vulnerabilities like:
    Using robots.txt in the pages. (Generally inserted by Web Marketing team to track user hit).
    Directory Scanner: Common directories are revealed. This can be resolved by URL rewriting and setting “Directory Browsing” off.
    Note: For the above vulnerabilities, minor registry tweaks will be necessary. So it is strongly recommended to back up the registry before doing anything. By any chance if something gets messed up, just delete the SCHANNEL key and restart the machine, the key will be auto-generated.
    Hailey
    Please rate helpful posts!

  • How To Restrict SSL Ciphers for iCal and Address Book

    Does anyone know how to set the allowed SSL ciphers for the Address Book and iCal services on Snow Leopard Server?

    Hi,
    There's a dedicated forum for Server customers.
    Good luck,
    S.

  • SSL ciphers and algorithms

    Hello experts,
    I have a fundamental SSL question - what I want to know is whether the ciphers and algorithms mentioned in certificates are used in SSL communication or not ? For example, in a sample certifcate, I can see Signature Algo=sha1RSA, Signature hash=SHA1, public key=RSA Encryption etc. I want to know whether any of these ciphers/algos are used while establishing the SSL connection. At what stage, which one of these from the certificate is used ? Or is it that the SSL negotiation does not involve these algos and only selects from what the platform supports.

    For example, in a sample certifcate, I can see Signature Algo=sha1RSA, Signature hash=SHA1, public key=RSA Encryption etc. I want to know whether any of these ciphers/algos are used while establishing the SSL connection.The certificate's own signature is checked on receipt, and the server sends another digital signature signed with its own private key which is also verified by the client, which proves that the server really owns that certificate. After that, the two sides negotiate a symmetric session key. Under some cipher suites that negotation can also involve the server certificate. Once the session key is established the certificates and their algorithms and keytypes play no further role.
    As it says in RFC 2246.

  • Securing DSEE - configuring CACAO SSL ciphers?

    Is there -any- possible way to set the SSL cipher suites that cacao uses? I've tried nearly everything I can think of, and no matter what it does not make a difference.
    I've already managed to get the actual LDAP SSL port running on high strength ciphers, the Java webconsole (port 6789) on high strength ciphers.. the only thing left is cacao on ports 11163, and 11164 (commandstream and the RMI registry)
    Anyone?

    Just an update, opened a ticket and got this response.
    <quote>
    Cacao uses the default set of ciphers offered by the Java Virtual Machine for TLSv3, as per the standard, which means that it supports a list of ciphers, the weakest of which is DES which is what triggers the scanner's alert.
    Whilst it therefore supports the weaker encryption for clients that specifically request it, the Java client libraries also use the same set of ciphers offered by the Java Virtual Machine, TLSv3 negotiation always choses the strongest cipher suite, and so this supported cipher is not used.
    As such, there will never be any communication performed by the product using the weaker cipher suites, and this can be considered a 'false positive' in the automated detection of "supported" cipher suites - supported, yes -but used - no.
    I hope that this can help explain why the automated scanner - which is deliberately trying to establish a connection with the DES cipher to see if it can - is reporting the false positive.
    </quote>
    Hope this helps others!

  • How to change SSL ciphers on Oracle 9i?

    Setup - Windows 2003, Oracle 9.2.0.8 with Apache 1.3
    Vulnerability scan detected weak ciphers and MD5 SSL certificate installed on the server. After a looking around the server, the MD5 SSL certificate is Oracle Demo CA that gets installed in the ORACLE_HOME\Apache\conf\ssl.crt. This certificate is being used by the Oracle HTTP server. I need two things -
    - Disable SSL 2.0 and enable SSL 3.0/TLS 1.0 on Oracle Apache HTTP server
    - Delete the ssl.cert with MD5 and reissue with a stronger hashing method like SHA-256, SHA-512.

    Hi,
    I am aware about the option of change the current schema with current_schema settings but never heard that one can change teh database too.Some options that striked immediately are
    1) Connect with the same user to the other database with a different TNSnames entry.
    2) Stay in the database and use Db links to connect to the other database.
    Sorry never heard of this thing myself.
    Aman....

  • Vulnerabilities in SSL Ciphers Suites Discovered - WCS bug CSCsx53619

    Hi Guys,
    There is a pending issues with WCS when our AUDIT scan the WCS server running in WINDOWS 2003 the HTTPS services is running with a weak ciphers and i open a case to CISCO and provide me a bug ID CSCsx53619, WCS currently using a weak ciphers that requires to be improve and this needs to be escalated to the developer.
    regards
    Cesar

    Hi Surendra,
    Any target date of the release, like next month or Q1 of 2011.
    Thanks
    Cesar

  • SSL/TLS ciphers of an SMA (M-series) appliance

    So SMA does not include sslconfig CLI command. We cannot reonfigure SSL/TLS ciphers as we do for ESA (C-series) appliances. Once I got instructions from TAC support telling, that I must download config file from SMA, edit those cipher parameters manually and then upload it back to the appliance. Is this still the only way to do it with SMA 8.1.1, 8.30 and 8.3.5?
    If we download the config file and do the changes, can we use sslconfig CLI command and there VERIFY subcommand of an ESA appliance to verify that a planned cipher set would surely work in a SMA appliance? I think I might be interested in cipher set
    MEDIUM:HIGH:-SSLv2:-aNULL:@STRENGTH
    Is the proper parameter to be changed named ssl_gui_ciphers? Does it cover only the management web GUI or also spam quarantine web GUI? Not interested in STARTTLS SMTP ciphers at this point. As s default, those SSL ciphers are set as:
      <ssl>
        <ssl_inbound_method>sslv3tlsv1</ssl_inbound_method>
        <ssl_inbound_ciphers>RC4-SHA:RC4-MD5:ALL</ssl_inbound_ciphers>
        <ssl_outbound_method>sslv3tlsv1</ssl_outbound_method>
        <ssl_outbound_ciphers>RC4-SHA:RC4-MD5:ALL</ssl_outbound_ciphers>
        <ssl_gui_method>sslv3tlsv1</ssl_gui_method>
        <ssl_gui_ciphers>RC4-SHA:RC4-MD5:ALL</ssl_gui_ciphers>
      </ssl>
    After fixing a locally downloaded config file and loading it back to SMA, will the config file load require a reboot? Are our safelists/blocklists, logs, message tracking, scheduled reports, spam quarantine content safe and we will not lost anything? So all we plan to change in config file, are the cipher settings.
    Testing a SMA spam quarantine https service with Qualys Inc. SSL labs test service opened my eyes on this case:
    https://www.ssllabs.com/ssltest/analyze.html

    I believe you already got an answer back on this with the direct support case that was opened... but just to verify and follow-up on the forums side... without FIPS enabled, you can run sslconfig > verify and get the following output for FIPS:-aNULL
    []> FIPS:-aNULL
    DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
    DHE-DSS-AES256-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA1
    AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
    DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
    DHE-DSS-AES128-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA1
    AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
    EDH-RSA-DES-CBC3-SHA    SSLv3 Kx=DH       Au=RSA  Enc=3DES(168) Mac=SHA1
    EDH-DSS-DES-CBC3-SHA    SSLv3 Kx=DH       Au=DSS  Enc=3DES(168) Mac=SHA1
    DES-CBC3-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=SHA1
    -Robert

  • Cisco IOS SSL VPN Not Working - Internet Explorer

    Hi All,
    I seem to be having a strange SSL VPN issue.  I have a Cisco 877 router with c870-advsecurityk9-mz.124-24.T4.bin and I cannot get the SSL VPN (Web VPN) working with Internet Explorer (tried both IE8 on XP and IE9 on Windows 7).  Whenever I browse to https://x.x.x.x, I get "Internet Explorer Cannot Display The Webpage".  It sort of works with Chrome (I can get the webpage and login, but I can't start the thin client, when I click on Start, nothing happens).  It only seems to work with Firefox.  It seems quite similar to this issue with the ASAs - http://www.infoworld.com/d/applications/cisco-asa-users-cant-use-ssl-vpns-ie-8-901
    Below is the config snippet:
    username vpntest password XXXXX
    aaa authentication login default local
    crypto pki trustpoint TP-self-signed-1873082433
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-1873082433
    revocation-check none
    rsakeypair TP-self-signed-1873082433
    crypto pki certificate chain TP-self-signed-1873082433
    certificate self-signed 01
    --- omitted ---
            quit
    webvpn gateway SSLVPN
    hostname Router
    ip address X.X.X.X port 443 
    ssl encryption aes-sha1
    ssl trustpoint TP-self-signed-1873082433
    inservice
    webvpn context SSLVPN
    title "Blah Blah"
    ssl authenticate verify all
    login-message "Enter the magic words..."
    port-forward "PortForwardList"
       local-port 33389 remote-server "10.0.1.3" remote-port 3389 description "RDP"
    policy group SSL-Policy
       port-forward "PortForwardList" auto-download
    default-group-policy SSL-Policy
    gateway SSLVPN
    max-users 3
    inservice
    I've tried:
    *Enabling SSL 2.0 in IE
    *Adding the site to the Trusted Sites in IE
    *Adding it to the list of sites allowed to use Cookies
    At a loss to figure this out.  Has anyone else come across this before?  Considering the Cisco website itself shows an example using IE (http://www.cisco.com/en/US/products/ps6496/products_configuration_example09186a008072aa61.shtml), surely it should work in IE you'd think?
    Thanks

    Hi,
    I would check where exactly it is failing, either in the ssl connection itself or something after that. The best way to do that is run a wireshark capture when you try to access the page using IE. You can compare this with the one with Mozilla too just to confirm the ssl is working fine.
    Also can you try with different SSL ciphers as one difference between browsers is the ciphers they use. 3des should be a good option to try.

  • SSL Cipher changes in MS15-031 - Is RC4 killed or not?

    Hi!
    I'm a bit confused of the actual impact of installing MS15-031.
    On the "workarounds" part of the kb article, MS presents a customer with a list of SSL Ciphers that can be manually imported to Computers,
    to fix the FREAK issue. In this list, all RC4 ciphers are removed, as well as many others (like RSA/SHA1 based AES ciphers).
    I installed the update kb3046049 on a test Computer and sniffed the client hello - packets, and to my surprise RC4 and SHA1/RSA ciphers are still there?
    So is it so that the actual impact of the kb3046049 is different than the impact of the workaround suggested?
    How the TLS handshake is modified so that downgrade no longer happens, or is the fix done simply by disallowing unsecure ciphers.
    In case that the kb article just removes unsecure Ciphers, what ciphers does it remove since the ones that are removed by the suggested workaround, are still in use after applying the patch?
    So I'm looking for painfully detailed technical explanation. :)
    Antti Laatikainen IT Security Manager Santen Europe

    Hi Antti,
    >>So is it so that the actual impact of the kb3046049 is different than the impact of the workaround suggested?
    I can't find the official document about your question.
    From my point of view, it's different.
    In the workaround, the ciphers which may cause the vulnerability are disabled.
    When we install the KB3046049, instead of disabling these ciphers, they are re-coded in the new Schannel.dll file to avoid the vulnerability.
    Best Regards.
    Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

  • Securing CACAO - SSL cipher strength

    Does anyone know if is possible to configure the SSL ciphers used by CACAO?
    I've got the java web console configured (after a long painful trial and error process)
    Is this even the right place to ask this question?

    in
    /var/webconsole/domains/console/conf/server.xmlfind the relevant "Connector" object and add
    cipher="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, T
    LS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"found this instruction here:
    https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=1225
    Edited by: Eleni on Feb 18, 2010 2:33 AM

  • Midp2.0 ssl

    Hi all,
    i'm new to MIDP and SSL, so this might be a dumb question.
    Does MIDP 2.0 support the following SSL ciphers (i guess is what they are):
    SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
    SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
    i ask because i'm trying to connect to a server that uses these, and i keep getting an IOException from Connector.open(..)
    Thanks in advance,
    Sheado

    maybe in need to be more specific?
    here's my code:
    SecureConnection c = (SecureConnection)Connector.open( "ssl://...:5001" );
    here's the exception i get:
    java.io.IOException: Alert (2,40)
         at com.sun.midp.ssl.Record.rdRec(+228)
         at com.sun.midp.ssl.Handshake.getNextMsg(+17)
         at com.sun.midp.ssl.Handshake.rcvSrvrHello(+5)
         at com.sun.midp.ssl.Handshake.doHandShake(+29)
         at com.sun.midp.ssl.SSLStreamConnection.<init>(+157)
         at com.sun.midp.io.j2me.ssl.Protocol.openPrim(+218)
         at javax.microedition.io.Connector.openPrim(+121)
         at javax.microedition.io.Connector.open(+15)
         at javax.microedition.io.Connector.open(+6)
         at javax.microedition.io.Connector.open(+5)
         at Practice.connect(+12)
         at Practice.access$000(+4)
         at Practice$1.run(+7)
    is this a bug?

  • Why is firefox using the (presumably broken) RC4 128bit SSL encryption as highest priority default encryption?

    128 bit encryption is no longer a real security deal. There are known attacks on RC4 and there is a warning from NIST to do not longer use it in a new product.
    Firefox uses an internal list on prefered cipher suites. Why does firefox do not request for 256 bit encryption as default (AES and Camellia) and in a second step, if negotiation with an outdated server fails, fall back to 128 bit encryption? I know the user can block 128bit from about:config, but why is such an insecure and outdated SSL encryption option the default behaviour?

    You can disable the 128 bit RC4 ciphers by setting the related security.ssl3.* prefs to false.<br />
    If you need to visit a server that only works with an 128 cipher suite then you can enable one or two 128 SSL ciphers.<br />
    Note that some servers host CSS files on such servers with older server software.
    *security.ssl3.rsa_rc4_128_md5
    *security.ssl3.rsa_rc4_128_sha
    *http://kb.mozillazine.org/about:config

  • Failing PCI Compliance Scan - SSL Weak...

    Hello,
    I currently use the WRVS4400n v2 (latest update) for my small business. I store and transmit data that contains credit card information and need to be PCI compliant. Regardless of which settings I change on the router, like turning off remote management, I keep failing the scan. ControlScan uses Nessus and the results are below (2 vulnerabilities).
    I did some research and spent some time with Cisco Sales Chat and they recommended a ASA5500 only to realize that it too had the same vulnerabilities. I did more research and it seemed that the SA520w (I need wireless) would do it but I found a thread on this forum saying that a client who had the SA520w did not pass the scan failed due to SSL vulerability (need v3+ ?). The thread is at https://supportforums.cisco.com/thread./2060512
    Question: What router/appliance should I use to be PCI compliant? Three has to be something, we're talking, this is Cisco.
    Thank you in advance for your help,
    Christophe
    Threat ID: 126928
    Details:
    IP Address: XX.XXX.X.XXX
    Host: XX.XXX.X.XXX
    Path:
    THREAT REFERENCE
    Summary:
    SSL Weak Cipher Suites Supported
    Risk: High (3)
    Type: Nessus
    Port: 60443
    Protocol: TCP
    Threat ID: 126928
    Information From Target:
    Here is the list of weak SSL ciphers supported by the remote server :
    Low Strength Ciphers (< 56-bit key)
    SSLv2
    EXP-RC2-CBC-MD5            Kx=RSA(512)   Au=RSA     Enc=RC2(40)      Mac=MD5    export    
    EXP-RC4-MD5                Kx=RSA(512)   Au=RSA     Enc=RC4(40)      Mac=MD5    export    
    The fields above are :
    {OpenSSL ciphername}
    Kx={key exchange}
    Au={authentication}
    Enc={symmetric encryption method}
    Mac={message authentication code}
    {export flag}
    Solution:
    Reconfigure the affected application if possible to avoid use of weak
    ciphers.Details:
    The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all.
    Threat ID: 142873
    Details:
    IP Address: XX.XXX.X.XXX
    Host: XX.XXX.X.XXX
    Path:
    THREAT REFERENCE
    Summary:
    SSL Medium Strength Cipher Suites Supported
    Risk: High (3)
    Type: Nessus
    Port: 60443
    Protocol: TCP
    Threat ID: 142873
    Information From Target:
    Here are the medium strength SSL ciphers supported by the remote server :
    Medium Strength Ciphers (>= 56-bit and < 112-bit key)
    SSLv2
    DES-CBC-MD5                Kx=RSA        Au=RSA     Enc=DES(56)      Mac=MD5   
    SSLv3
    DES-CBC-SHA                Kx=RSA        Au=RSA     Enc=DES(56)      Mac=SHA1  
    TLSv1
    DES-CBC-SHA                Kx=RSA        Au=RSA     Enc=DES(56)      Mac=SHA1  
    The fields above are :
    {OpenSSL ciphername}
    Kx={key exchange}
    Au={authentication}
    Enc={symmetric encryption method}
    Mac={message authentication code}
    {export flag}
    Solution:
    Reconfigure the affected application if possible to avoid use of
    medium strength ciphers.Details:
    The remote host  supports the use of SSL ciphers that offer medium strength encryption,  which we currently regard as those with key  lengths at least 56 bits  and less than 112 bits.

    Chris,
    As i understand right now none of the Small Business router are PCI compliance ever since PCI 3.0 was released. How you overcome this; you'll need to forward any ports you are failing on to a ghost IP.. Ghost ip (any ip address that isn 't being used) If you are using those ports , then you will lose that service as the router isn't PCI 3.0 compliant.
    Jason
    I do believe the ASA5505 are PCI 3.0 Compliant.

Maybe you are looking for

  • How to install the new OS X

    Hello guys .. I know that if i download the new software from the app store i can install it on my macbook air easily .. What i don't know is how to delete the previous OS (i want a install) and when i finish installing the new OS, how do i recover a

  • Photoshop CS4 will not Start

    Hi, i'm usually quite responsible when it comes to making sure my system can coap with what i am asking of it, but i've ran into a problem that my computer just can't seem to get around, and means that photoshop cs4 will not start up. I've been makin

  • New line character when writing to a file

    Hi, I am relatively new to the whole logging aspect in JDK1.4, so this is all what I am trying to do. I have setup a logger , using the standard FIleHandler. This handler is using a custom formatter which I have written. My formatter is very simple a

  • Country Chart of Accounts

    Hi, We have two company codes , one is India and one is in Malaysia which are using the same operational chart of accounts say ABC, when we are posting the transactional data we are using the company code currency. In case of country specific reporti

  • 100% cpu utilisation SQL Dev 1.5 on XP

    Using SQL Dev 1.5 prod version on XP on a P4 3ghz with 2gb of ram, SQL Dev executable regularly uses 100% cpu utilisation as reported by task manager. Also frequently stops responding - no screen redraw and I have to end task. Until recently I only h