WSMAN CredSSP TLS 1.2 support and cipher suites

Hi all,
The protocol document [MS-CSSP] explains the first base64 encoded token send in the authenticate from the client to the server is a TLS Client Hello. The response is a ServerHello.
The diagram in section 4 'Protocol Examples' of the document indicates the ServerHello has a cipher suite of TLS_RSA_WITH_RC_128_SHA. The TLS version and cipher suites are not mentioned anywhere else in the document.
So lets take a look a network packet capture of a CredSSP authentication between a winrm.exe client and a Windows 2008 R2 server. I have base64 decoded the contents of the CredSSP Authorization headers,
The ClientHello bytes (without the extensions) send by my client are:
16 03 01 00 6B 01 00 00  67 03 01 54 DB 64 77 22 
A2 1C A3 23 93 61 3B 00  1B DE 1C 6D 42 34 94 8D 
1D 44 2C 64 8B 42 AC 41  B4 E2 DE 00 00 14 00 2F 
00 35 00 0A C0 13 C0 14  C0 09 C0 0A 00 32 00 38 
00 13 01 00 00 2A FF 01  00 01 00 00 00 00 11 00 
0F 00 00 0C
Decoding this we can see that this is TLS 1.0 {03, 01}, taking a look at the ciphers we have:
TLS_RSA_WITH_AES_128_CBC_SHA 0x00 0x2F
TLS_RSA_WITH_AES_256_CBC_SHA 0x00 0x35
TLS_RSA_WITH_3DES_EDE_CBC_SHA 0x00,0x0A
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 0xC0,0x13
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 0xC0,0x14
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 0xC0,0x09
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 0xC0,0x0A
TLS_DHE_DSS_WITH_AES_128_CBC_SHA 0x00,0x32
TLS_DHE_DSS_WITH_AES_256_CBC_SHA 0x00,0x38
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA 0x00,0x13
Now lets look at the ServerHello (without the extensions)
16 03 01 02 3C 02 00 00  4D 03 01 54 DB 64 78 73 
92 C6 86 A3 F8 FF 3D D4  36 77 C0 FC 80 61 3F 4D 
8C BC 60 CD BC 4D B1 1C  4A CF 0A 20 DA 14 00 00 
38 11 DB C9 1C D0 8C 76  E7 A0 B9 F7 A5 D4 94 DF 
8B 83 38 B3 FF EB AA 65  EB 23 03 0A 00 2F 00 00 
05 FF 01 00 01 00 0B 00  01 E3 00 01 E0 00 01 DD 
30 82 01 D9 30 82 01 42  A0 03 02 01 02 02 10 44 
56 23 69 44 ED 93 85 43  DF B8 DF E3 75 DC A7 30 
0D 06 09 2A 86 48 86 F7  0D 01 01 05 05 00 30 2B 
31 29 30 27 06 03 55 04  03 13 20 
The server responds with TLS 1.0 and selected cipher (0x00 0x2F)
TLS_RSA_WITH_AES_128_CBC_SHA
Based on this I created a WSMan CredSSP client using Python and OpenSSL and configured it to use TLS 1.2. I found the Windows server always responded with TLS 1.0. So, I configured my OpenSSL client for TLS 1.0 and set the cipherlist to AES128-SHA (like winrs.exe).
The CredSSP TLS handshake completes, but the first ASN.1 encoded TSRequest token (containing an NTLM negotiate token) is rejected. However, if my openssl cipherlist is set to RC4, the TSRequest token is accepted and authentication is successful.
This raises several questions:
1. Despite sending a TLS 1.2 ClientHello the WSMan CredSSP Server always responded with TLS 1.0 ServerHello. A number of security experts consider this version effectivly broken. Does CredSSP support TLS 1.2?
2. I can authenticate with CredSSP using openssl 'RC4' cipher suites - but not with AES128-SHA suites. Are suites besides RC4 supported (winrs.exe appears to use AES).
Thanks
Ian

Forum Update:
I can now answer my 2nd question. The reason CredSSP is rejecting my TSRequest token when using AES128-SHA is because this ciphersuite is using CBC.
Some years ago OpenSSL added empty fragments to SSLv3 and TLS 1.0 packets to address a potential security vulnerability. These empty fragments are not compatible with Microsofts SChannel implementation so Windows is unable to decrypt the data. OpenSSL added
a compatibility flag SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS (0x00000800L) that must be set in the openssl client's context options to address this issue with Microsofts implementation. Once I set this option my python openssl client successfully authenticated
with a Windows 2012 R2 server using ECDHE-RSA-AES256-SHA - much better.
Question 1 is still unanswered. Is TLS 1.2 with CredSSP supported?

Similar Messages

  • SSL and TLS Cipher Suites

    Hello,
    I am tying to use the SSLContext class in a nonblocking IO application with "TLS" protocol in Server mode.
    I am seeing a "no cipher suites in common" error message during the handshake.
    The Client is requesting for "TLS_RSA_WITH_RC4_128_MD5" but this cipher is not available (verified from the list returned by SSLEngine.getSupportedCipherSuites()).
    I have the following questions.
    1> Are SSL_RSA_WITH_RC4_128_MD5 and TLS_RSA_WITH_RC4_128_MD5 the same?
    2>Is it possible for me to register TLS_RSA_WITH_RC4_128_MD5 as an alias for SSL_RSA_WITH_RC4_128_MD5?
    3> How can I get the Server to recognize TLS_RSA_WITH_RC4_128_MD5?
    Thanks,
    arun.

    Hello,
    I am tying to use the SSLContext class in
    a nonblocking IO application with "TLS" protocol in
    Server mode.
    I am seeing a "no cipher suites in common" error
    message during the handshake.
    The Client is requesting for
    "TLS_RSA_WITH_RC4_128_MD5" but this cipher is not
    available (verified from the list returned by
    SSLEngine.getSupportedCipherSuites()).
    I have the following questions.
    1> Are SSL_RSA_WITH_RC4_128_MD5 and
    TLS_RSA_WITH_RC4_128_MD5 the same?Yes
    2>Is it possible for me to register
    TLS_RSA_WITH_RC4_128_MD5 as an alias for
    SSL_RSA_WITH_RC4_128_MD5?Shouldn't be necessary, as they are compared by RFC2246 value, not by name.
    3> How can I get the Server to recognize
    TLS_RSA_WITH_RC4_128_MD5?Do the client and server both create their SSLContexts with "TLS". Do either of them modify the enabled cipher suites? Does the server have an RSA certificate?

  • Schannel cipher suites and ChaCha20

    Is there a blog or other communications channel devoted to the PKI internals of Windows? Most security researchers focus on Linux web servers/OpenSSL, but there are folks in the Windows world who really care about this stuff too, and we'd like to hear
    about what the Windows PKI developers are working on and planning, and perhaps interact with comments and suggestions.
    Because I couldn't find any discussion about Schannel development, I started a
    feature suggestion on the Windows User Voice site for Microsoft to add ChaCha20-Poly1305 cipher suites to Schannel, mostly for the benefit of mobile visitors to IIS websites, but also to help Windows phones and tablets that don't have integrated CPU extensions
    for GCM encryption (improved speed and reduced power consumption).
    It's frustrating to be a security-focused IIS website administrator. Schannel is a "black box" that we can't tinker with or extend ourselves, and support for modern ciphers has been lagging behind other website and client software (it looks like we'll
    at least finally get strong and forward secret ECDHE_RSA + AES + GCM suites with Windows 10 and Server vNext/2016). The methods for configuring cipher suite orders and TLS versions could really use a rethink too (thank goodness for IISCrypto).

    Hi Jamie_E,
    May the following article can help you,
    Cipher Suites in Schannel
    http://msdn.microsoft.com/en-us/library/windows/desktop/aa374757%28v=vs.85%29.aspx
    Managing SSL for a Client Access Server
    http://technet.microsoft.com/en-us/library/bb310795.aspx
    Configuring Secure Sockets Layer in IIS 7
    http://technet.microsoft.com/en-us/library/cc771438(WS.10).aspx
    How to enable Schannel event logging in IIS
    https://vkbexternal.partners.extranet.microsoft.com/VKBWeb/?portalId=1#
    How to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll
    http://support.microsoft.com/kb/245030/EN-US
    I’m glad to be of help to you!
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

  • How to locate and configure SSL cipher suites

    hi all,
    i wanted to knw how Ciphersuites that are used in SSL Connections are picked up by the JVM or whoever is responsible for establishing the connection at lower level. I mean there are methods in SSLSocketFactory, HttpsURLConnection named getEnabledCipherSuites(). I was just wondering where these default cipher suites are picked up. Is there any configuration file or some setting where we can add our own cipher suite to the list?
    Please advice.
    Thanks in advance :)
    Arun

    hi,
    As already we have discussed this, we can set the ciphersuite used in the SSLConnection using SSLSocket.setEnabledCIpherSuite() function only. And getSupportedCipherSuites() function returns the list of cipher suites that are supported by the connection.
    But i want to set ciphersuite in SSLConnection using HttpsURLConnection. Under this class (HttpsURLConnection) there is no such method where u can specify the ciphersuite.
    So i am trying to find out when an SSL connection is setup from where does the JVM loads the cipher suites? I checked the All the basic classes in javax.net.ssl package and all contain the methods as abstract. So if anybody has any idea regarding where these supported cipher suites are located in jdk please let me knw.
    Thanks in advance :)
    Arun

  • TLS fails - no cipher suites in common

    When I enable TLS on the instant messaging server, I can't connect to it using TLS. I am using a self signed cert. Do I need to put the certificate authority in the JKS?
    steve
    Version
    [15 Apr 2010 13:46:00,927] INFO xmppd [main] Starting XMPP Server: Version 8.0
    Patch: 139893-02
    iim.conf
    ! tls configuration
    iim_server.sslkeystore=/etc/opt/SUNWiim/default/config/im.jks
    iim_server.keystorepasswordfile=/etc/opt/SUNWiim/default/config/sslpassword.conf
    iim_server.requiressl=false
    iim_server.trust_all_cert=true
    iim_server.certnickname=im.uwo.ca
    # keytool -list -V -keystore im.jks
    Enter keystore password: Mu51cdi3
    Keystore type: jks
    Keystore provider: SUN
    Your keystore contains 1 entry
    Alias name: im.uwo.ca
    Creation date: Apr 15, 2010
    Entry type: trustedCertEntry
    Owner: [email protected], CN=im.uwo.ca, OU=ITS, O=The University of Western Ontario, L=London, ST=Ontario, C=CA
    Issuer: [email protected], CN=UWO Certificate Authority, OU=Information Technology Services, O=The University of Western Ontario, L=London, ST=Ontario, C=CA
    Serial number: 13a
    Valid from: Thu Apr 15 09:05:42 EDT 2010 until: Fri Apr 15 09:05:42 EDT 2011
    Certificate fingerprints:
    MD5: FB:21:99:37:29:45:8C:B6:B1:55:0B:61:5B:93:28:FE
    SHA1: 4D:3B:24:72:D5:CB:2D:AA:D7:7F:6B:E6:3B:F1:DB:31:5F:64:FB:6B
    [15 Apr 2010 13:46:55,767] DEBUG xmppd [default-iim_server-worker 2] last read count 51
    [15 Apr 2010 13:46:55,770] DEBUG xmppd.xfer [default-iim_server-worker 2] [null] Received:<starttls xmlns='urn:ietf:par
    ams:xml:ns:xmpp-tls' xml:lang='en'/>
    [15 Apr 2010 13:46:55,770] DEBUG xmppd [default-iim_server-worker 2] [ClientPacketDispatcher] StartTLS Packet detected
    [15 Apr 2010 13:46:55,771] DEBUG xmppd [default-iim_server-worker 2] Session[null] Starting TLS nego : false, null
    [15 Apr 2010 13:46:55,776] DEBUG xmppd [default-iim_server-worker 2] [SecureByteChannel] TLS started for channel id : 2
    com.iplanet.im.server.io.MuxChannel@107108e
    [15 Apr 2010 13:46:55,776] DEBUG xmppd [default-iim_server-worker 2] last read count 0
    [15 Apr 2010 13:46:55,776] DEBUG xmppd [default-iim_server-worker 2] Session[null] processed input
    [15 Apr 2010 13:46:55,776] DEBUG xmppd [default-iim_server-worker 2] ConnectedStreamEndPoint finished process()
    [15 Apr 2010 13:46:55,777] DEBUG xmppd [default-iim_server-worker 2] ConnectedStreamEndPoint started process()
    [15 Apr 2010 13:46:55,777] DEBUG xmppd [default-iim_server-worker 2] ConnectedStreamEndPoint[null] processing input
    [15 Apr 2010 13:46:55,777] DEBUG xmppd [default-iim_server-worker 2] last read count 0
    [15 Apr 2010 13:46:55,777] DEBUG xmppd [default-iim_server-worker 2] Session[null] processed input
    [15 Apr 2010 13:46:55,777] DEBUG xmppd [default-iim_server-worker 2] ConnectedStreamEndPoint finished process()
    [15 Apr 2010 13:46:55,782] DEBUG xmppd [default-iim_server-worker 0] ConnectedStreamEndPoint started process()
    [15 Apr 2010 13:46:55,782] DEBUG xmppd [default-iim_server-worker 0] ConnectedStreamEndPoint[null] processing input
    [15 Apr 2010 13:46:55,782] DEBUG xmppd [default-iim_server-worker 0] last read count 90
    [15 Apr 2010 13:46:55,783] DEBUG xmppd [default-iim_server-worker 0] Session[null] processed input
    [15 Apr 2010 13:46:55,784] DEBUG xmppd [default-iim_server-worker 0] ConnectedStreamEndPoint finished process()
    [15 Apr 2010 13:46:55,784] DEBUG xmppd [default-iim_server-worker 0] ConnectedStreamEndPoint started process()
    [15 Apr 2010 13:46:55,784] DEBUG xmppd [default-iim_server-worker 0] ConnectedStreamEndPoint[null] processing input
    [15 Apr 2010 13:46:55,784] DEBUG xmppd [default-iim_server-worker 0] last read count 0
    [15 Apr 2010 13:46:55,789] DEBUG xmppd [default-iim_server-worker 2] sslEngine closed
    java.io.EOFException: sslEngine closed
    at com.iplanet.im.common.ssl.SecureServerByteChannel.handleResult(SecureServerByteChannel.java:338)
    at com.iplanet.im.common.ssl.SecureServerByteChannel.write(SecureServerByteChannel.java:244)
    at com.iplanet.im.common.ssl.SecureServerByteChannel.handleHandshakeResult(SecureServerByteChannel.java:404)
    at com.iplanet.im.common.ssl.SecureServerByteChannel.access$300(SecureServerByteChannel.java:27)
    at com.iplanet.im.common.ssl.SecureServerByteChannel$2.run(SecureServerByteChannel.java:391)
    at org.netbeans.lib.collab.util.Worker.run(Worker.java:244)
    at java.lang.Thread.run(Thread.java:619)
    [15 Apr 2010 13:46:55,792] DEBUG xmppd [default-iim_server-worker 2] [hsep]removing xmlns from packet ...
    [15 Apr 2010 13:46:55,793] DEBUG xmppd [default-iim_server-worker 0] Sending CMD_CLOSE for channel: 2
    [15 Apr 2010 13:46:55,793] INFO xmppd [default-iim_server-worker 0] MuxChannel.close() Server Closing client for chann
    el : 2,null
    [15 Apr 2010 13:46:55,794] DEBUG xmppd [default-iim_server-worker 0] Session[null] outbound status changed from opened
    to disconnected
    [15 Apr 2010 13:46:55,794] DEBUG xmppd [default-iim_server-worker 0] Session[null] inbound status changed from opened t
    o disconnected
    [15 Apr 2010 13:46:55,794] INFO xmppd [default-iim_server-worker 0] session.close() nullcloseStream false
    [15 Apr 2010 13:46:55,794] DEBUG xmppd [default-iim_server-worker 0] [CSEP]null closeImpl
    [15 Apr 2010 13:46:55,794] DEBUG xmppd [default-iim_server-worker 0] [CSEP] null closeSASLProvider
    [15 Apr 2010 13:46:55,794] DEBUG xmppd [default-iim_server-worker 0] Session[null] closed
    [15 Apr 2010 13:46:55,794] DEBUG xmppd [default-iim_server-worker 0] Removed connectionId : gz5im1.its.uwo.pri:7, this
    : jid : nullcom.iplanet.im.server.ConnectedStreamEndPoint@1198ff2 , jid : null
    [15 Apr 2010 13:46:55,794] DEBUG xmppd [default-iim_server-worker 0] Session[null] leaveAllGroupChats
    [15 Apr 2010 13:46:55,795] DEBUG xmppd [default-iim_server-worker 0] RouterEndPoint[null [18452466]] removed all listen
    ers. STAT:numEndPointListener=0
    [15 Apr 2010 13:46:55,795] DEBUG xmppd [default-iim_server-worker 0] no cipher suites in common
    org.jabberstudio.jso.StreamException: no cipher suites in common
    at net.outer_planes.jso.AbstractStream.process(AbstractStream.java:1179)
    at com.iplanet.im.server.ConnectedStreamEndPoint.process(ConnectedStreamEndPoint.java:356)
    at com.iplanet.im.server.ConnectedStreamEndPoint.dataAvailable(ConnectedStreamEndPoint.java:312)
    at com.iplanet.im.server.io.MuxChannel$MuxReadRunnable.run(MuxChannel.java:452)
    at org.netbeans.lib.collab.util.Worker.run(Worker.java:244)
    at java.lang.Thread.run(Thread.java:619)
    [15 Apr 2010 13:46:55,797] DEBUG xmppd [default-iim_server-worker 0] ConnectedStreamEndPoint finished process()

    [email protected] wrote:
    When I enable TLS on the instant messaging server, I can't connect to it using TLS.What client are you using to connect to the IM Server and what platform is it running on?
    I am using a self signed cert. Do I need to put the certificate authority in the JKS? Not as far as I can tell.
    I used the self-signed cert from Messaging Server (./msgcert generate-certDB) and the steps provided at http://forums.sun.com/thread.jspa?messageID=10971294#10971294 and TLS worked fine with the same version as you are running.
    I was testing with Pidgin 2.6.2 on Ubuntu 9.10.
    Do you see:
    [16 Apr 2010 16:13:03,421] INFO  xmppd [main] SSL initialized - using JKSThe keytool output from my test system is below:
    bash-3.00# keytool -list -V -keystore server-keystore.jks
    Enter keystore password:  password
    Keystore type: jks
    Keystore provider: SUN
    Your keystore contains 1 entry
    Alias name: server-cert
    Creation date: 16/04/2010
    Entry type: keyEntry
    Certificate chain length: 1
    Certificate[1]:
    Owner: CN=mumble.aus.sun.com
    Issuer: CN=mumble.aus.sun.com
    Serial number: 90509a40
    Valid from: Wed Mar 24 16:01:17 EST 2010 until: Thu Jun 24 15:01:17 EST 2010
    Certificate fingerprints:
             MD5:  8C:8D:67:03:2C:4C:64:B6:73:45:94:36:FA:D6:CE:4C
             SHA1: B8:3E:F3:F0:D9:0C:B9:16:2F:82:3A:22:C6:1D:62:B3:90:18:02:34
    *******************************************Regards,
    Shane.

  • How to specify a cipher suit used between plugin and weblogic server?

    I install Weblogic8.1 SP3 which supports for strong cipher suits, and config an apache 2.50 server as an front end.
    I config appache to use 2 way SSL with browser and wls one way SSL with apache plugin. Then config apache to forward client certs to WLS. now the problem is, I can see that the SSL connection between browser and apache uses a strong cipher suit('SSL_RSA_WITH_RC4_128_MD5'), but the ssl connection bwtween apache plugin and WLS uses a weak cipher suit('SSL_RSA_EXPORT_WITH_RC4_40_MD5'), with the SnoopServlet, although I use the mod_wl128_20.so module. How can I increase the cipher strength of SSL between WLS and it's apache plugin?
    Thanks in advance.
    Best
    Regards
    Jean

    Hello Gunaseelan,
    This is not possible because WLS 6.1 needs a config.xml file, exactly this
    name, to start.
    What you can do is to define a recovery domain, called myrecovery_domain for
    instance, and put the config_recovery.xml, renamed "config.xml".
    Hope this helps,
    Ludovic.
    Developer Relations Engineer
    BEA Support.
    "Gunaseelan Venkateswaran" <[email protected]> a écrit dans le message
    news: 3cd6a324$[email protected]..
    >
    Hi,
    I have 2 weblogic startup scripts (startWebLogic.sh and
    startWebLogic_recovery.sh) for the same domain.
    startWebLogic.sh uses config.xml file.
    I would like to use config_recovery.xml as the configuration file forstartWebLogic_recovery.sh
    >
    >
    How would I do this ?
    I am using WebLogic Server 6.1 on SunOS 5.8 / HP-UX 11.0.
    Appreciate any help.
    Regards
    Gunaseelan Venkateswaran

  • EAP-TLS for Wireless network and PEAP for wired network

    Hello,
    it is possible to use EAP-TLS for Wireless network and PEAP for wired network on the same laptop (Windows 7).
    Thank you in advance.
    Thibault

    Yes, this is possible. You just need to properly configure each interface to use the EAP type you want.
    HTH,
    Steve
    Sent from Cisco Technical Support iPad App

  • Weak cipher suites supported on WCS port 8082

    Hi
    Port 8082 is used for health monitoring in WCS, a web service is running on this port so we can login via web and check the status.
    I would like to know, is there a way to limit the cipher suite supported on this port? For port 443, this can be done by modify the Apache configuration file, however this doesn't work for 8082. The version is 5.2.148.0.
    Thanks and Regars,
    Leo

    Hi ,
    "SSL RC4 Cipher Suites Supported" has been documented in bug CSCum03709. 
    CSCum03709    PI 2.0.0.0.294 with SSH vulnerabilities
    Presently, there is no workaround for this vulnerability, however, the fix will be implemented in
    Prime Infrastructure 2.2.which is planned to be released around the end of this year ( tentative)
    Thanks-
    Afroz
    ***Ratings Encourages Contributors ***

  • Supported Cipher  suites.

    Hi All,
    I am successfully communicating with the server using HTTPS with HttpsConnection from my J2ME Midlet. I am using APACHE as HTTP Server. However, the best cipher suite negutiated between the device and the server used by HTTPS was DES-CBC3-SHA. As you can see, it uses DES, which is not quite as secure as AES.However despite a lot of effort, i am just not able to get it to use an AES cipher suite. Is AES part of any supported cipher suite by MIDP? If not, can anyone tell me how i can enumeration the cipher suites supported on the MIDLet?
    Thanks in advance
    Edited by: AUTOMATON on Sep 14, 2007 3:38 AM

    @superena,
    Thanks for the links, but they actually dont give me the info I need. What I want to do is to find out how many SSL cipher suites are supported by J2ME. I mean if there is a list somewhere, of if i can write a program that can enumerate them for me..

  • Cisco Prime Infrastucture vulnerability SSL RC4 Cipher Suites Supported

    Hi All,
    I have a question on how to disable RC4 Cipher Suites Supported on Cisco Prime Infrastructure Platform.
    My Client have use Nessus Software to scan on prime. and found on below vulnerability
    SSL RC4 Cipher Suites Supported
    Cisco prime infrastructure deploy on latest 2.1
    we have gain the root access and modifier the ssl.conf and restart the service also unable to solve.
    /opt/CSCOlumos/httpd/ssl/backup/ssl.conf
    /opt/CSCOlumos/httpd/ssl/ssl.conf
    C:\Program Files\Tenable\Nessus>nessuscmd -v -p 443 -i 21643 192.168.1.55
    Starting nessuscmd 5.2.7
    Scanning '192.168.1.55'...
    Host 192.168.1.55 is up
    Discovered open port https (443/tcp) on 192.168.1.55
    [i] Plugin 21643 reported a result on port https (443/tcp) of 192.168.1.55
    + Results found on 192.168.1.55 :
       - Port https (443/tcp) is open
         [i] Plugin ID 21643
          | Here is the list of SSL ciphers supported by the remote server :
          | Each group is reported per SSL Version.
          | SSL Version : TLSv1
          |   Medium Strength Ciphers (>= 56-bit and < 112-bit key)
          |       DES-CBC-SHA                  Kx=RSA         Au=RSA      Enc=DES-C
          | C(56)          Mac=SHA1
          |       RC4-MD5                      Kx=RSA         Au=RSA      Enc=RC4(1
          | 8)             Mac=MD5
          |       RC4-SHA                      Kx=RSA         Au=RSA      Enc=RC4(1
          | 8)             Mac=SHA1
          |
          | SSL Version : SSLv3
          |   Medium Strength Ciphers (>= 56-bit and < 112-bit key)
          |       DES-CBC-SHA                  Kx=RSA         Au=RSA      Enc=DES-C
          | C(56)          Mac=SHA1
          |       DES-CBC-SHA                  Kx=RSA         Au=RSA      Enc=DES-C
          | C(56)          Mac=SHA1
          |   High Strength Ciphers (>= 112-bit key)
          |       EDH-RSA-DES-CBC3-SHA         Kx=DH          Au=RSA      Enc=3DES(
          | 68)            Mac=SHA1
          |       RC4-MD5                      Kx=RSA         Au=RSA      Enc=RC4(1
          | 8)             Mac=MD5
          |       RC4-SHA                      Kx=RSA         Au=RSA      Enc=RC4(1
          | 8)             Mac=SHA1
          | The fields above are :

    Hi ,
    "SSL RC4 Cipher Suites Supported" has been documented in bug CSCum03709. 
    CSCum03709    PI 2.0.0.0.294 with SSH vulnerabilities
    Presently, there is no workaround for this vulnerability, however, the fix will be implemented in
    Prime Infrastructure 2.2.which is planned to be released around the end of this year ( tentative)
    Thanks-
    Afroz
    ***Ratings Encourages Contributors ***

  • SSL Medium Strength Cipher Suites Supported vulnerability

    Kind of an odd thing.  We just had a vulnerability scan and a 2960 got pinged for supporting medium strength SSL cipher suites.  I say strange cause I have 3 others that have the same IOS image and they didn't get pinged.  Swap out the management IP address and they are all the same.  They are all running 12.2(52)SE C2960-LANBASEK9-M, with a 768 bit keys.  Here is the text of the vulnerability :
    Synopsis : The remote service supports the use of medium strength SSL ciphers. Description : The remote host supports the use of SSL ciphers that offer medium strength encryption, which we currently regard as those with key lengths at least 56 bits and less than 112 bits.
    Reconfigure the affected application if possible to avoid use of medium strength ciphers. / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) Plugin output : Here are the medium strength SSL ciphers supported by the remote server : Medium Strength Ciphers (>= 56-bit and < 112-bit key) SSLv3 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 TLSv1 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}
    Can someone point me in the right direction on how to re-configure the switch to pass this test?
    Thanks
    Poirot

    I believe the alert there is because you are using a 768 key which was broken recently (Jan 2010 a paper was published on it with results from efforts that took 4 years to break 768 keys). 768bit RSA keys is not considered secure enough any more.
    I would suggest you to configure keys of 1024 on these switches and try again.
    I hope it helps.
    PK

  • I tried to sync my iPod touch to a new laptop and it deleted all of my music and videos. I called tech support and they told me to email iTunes and they would give it back to me. How do I do this??

    I  tried to sync my iPod touch to a new MacPro laptop and it deleted all of my music and videos. I called tech support and they told me to email iTunes and they would give it back to me. How do I do this??

    Correct. When you update via iTunes all synced media that is not in your iTunes library will be lost.
    As IO said before:
    You can redownload most iTunes pruchases by:
    Downloading past purchases from the App Store, iBookstore, and iTunes Store
    I do not think it included audio books.

  • HT4623 When I plug my ipad to itunes i get the error message that it is not supported and I have to go to itunes and get itunes re-installed?  i never had this problem before.  if i do this will i loose all my files, music, etc?

    When I plug me ipad to itunes i get the error message that it is not supported and that i have to go to itunes and get "itunes installer" and re-install.  if i do this will i loose my files and music?

    No, you should not lose anything.

  • Worst customer support and website in the world!

    I have had bad service from businesses here and there, but Verizon home phone service (which I am forced to use in this location) has amazingly bad customer support and a website from hell!
    Any tips or tricks how to get any human at Verizon to respond about a phone line that has been dead for days?...

    Please visit our Support page for a variety of ways to contact Verizon, including “Ask Verizon,” our virtual chat agent, and customer support phone numbers.

  • HT1725 For about three weeks I haven't been able to download any apps, not even the free ones.   My apple id billing information says that my security code on the back of my credit card is invalid. I called apple support and they told me to go to the expr

    For about three weeks I haven't been able to download any apps, not even the free ones.   My apple id billing information says that my security code on the back of my credit card is invalid. I called apple support and they told me to go to the express lane website but I still cant find a fix for my problem. If you could help me out that would be superb!!!!

    Is the address on your iTunes account exactly the same (format and spacing etc) as on your credit card bill : http://support.apple.com/kb/TS1646 ? If it is then you could try what it says at the bottom of that page :
    If the issue persists, contact your credit card company and verify that they and any company they use to process credit card authorisations have the correct information on file.
    And/or try contacting iTunes support : http://www.apple.com/support/itunes/contact/ - click on Contact iTunes Store Support on the right-hand side of the page

Maybe you are looking for

  • Call forwarding and 8.3

    Since updating to 8.3, I am not longer able to activate call forwarding. I use at&t and have used this feature before, but not since upgrading to 8.3. Won't turn on in settings or dial pad. When I try to set it, forst there is no ok button. All you c

  • Will apple router connect to a non apple computer

    im having issues with my D-Link DI 624 connecting to my iphone 4s, ipod touch and ipad so im looking at changing the router over. Will the apple router work on a windows based pc? or can any one offer a solution to a dlink router not connecting to an

  • Very Urjent Help Needed

    Hi All, Again i am here for your valuable suggestion and help. I dont know User Exit. I got a situation like below. Plz give me some step by step process to resolve the issue, My time is very short.. so if u can give the exact full steps it will be v

  • Migration procedure from Forte 30M to UDS 5.0.x

    Is there any documment that describes the migration procedure from Forte 30M Conductor 10M to UDS 5.0.xIS 3.0.x thanks in advance, Lorenzo.

  • Sending IDoc adapter

    Hello Specialists, we have an issue in our XI production environment (only there). When we receive an IDoc from a Subsystem (Seeburger BIS) via tRFC than the XML-IDoc Structure isn't correct. The facts: IDoc Typ: INVOIC02 IDX1 + IDX2 ... The meta dat