Calazan.com » SSL http://www.calazan.com Share the Knowledge Sun, 05 Sep 2010 00:59:26 +0000 http://wordpress.org/?v=2.9.2 en hourly 1 IIS Security Scan: The remote service supports the use of weak SSL ciphers http://www.calazan.com/iis-security-scan-the-remote-service-supports-the-use-of-weak-ssl-ciphers/ http://www.calazan.com/iis-security-scan-the-remote-service-supports-the-use-of-weak-ssl-ciphers/#comments Wed, 28 Jan 2009 00:42:13 +0000 webmaster http://www.calazan.com/?p=280 Synopsis: The remote service supports the use of weak SSL ciphers. Description : The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all. See also : http://www.openssl.org/docs/apps/ciphers.html Solution: Reconfigure the affected application if possible to avoid use of weak ciphers. Risk Factor: Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) Plugin output : Here is the list of weak SSL ciphers supported by the remote server : Low Strength Ciphers ( 56-bit key) SSLv3 EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}

Our ISA 2006 server failed the SecurityMetrics PCI scan yesterday with this reason.  We fixed the security issue by doing the following:

  1. Open Registry Editor.
  2. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\ SCHANNEL\Ciphers (I recommend that you create a backup of this section of the registry before continuing).
  3. Select a cipher that has a number less than 128/128 (examples: DES 56/56, RC2 40/128, RC4 40/128, RC4 56/128) and add a DWORD value with the name “Enabled” and Value Data: 0.
  4. Repeat Step 3 for all ciphers less than 128/128.

After doing the above, we ran the SecurityMetrics scan again and it didn’t find any vulnerabilities this time.

You might also want to disable SSL 2.0 support while you’re here as this is another security issue (we had to do this last year to pass).  To do so, simply add the same DWORD value to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\ SCHANNEL\Protocols\SSL 2.0\Server.

Credit goes to this website for this solution: http://www.curtis-lamasters.com/2008/06/21/windows-iis-ssl-restrict-weak-ciphers/

]]> http://www.calazan.com/iis-security-scan-the-remote-service-supports-the-use-of-weak-ssl-ciphers/feed/ 1