Technote (troubleshooting)
Problem(Abstract)
Security scan incorrectly reports that the IBM HTTP Server supports weak ciphers even after the httpd.conf file had been configured to disable weak ciphers.
Symptom
Your security scanner software reports the following vulnerability with IBM HTTP Server SSL ciphers:
| Synopsis : The remote service supports the use of weak SSL ciphers. Description : The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all. See also : http://www.openssl.org/docs/apps/ciphers.html http://www.openssl.org/docs/apps/ciphers.html Solution: Reconfigure the affected application if possible to avoid use of weak ciphers. Risk Factor: Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) Plugin output : Here is the list of weak SSL ciphers supported by the remote server : Low Strength Ciphers (< 56-bit key) SSLv3 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag} [More] |
| <VirtualHost *:443> SSLEnable ## Disable SSLv2 SSLProtocolDisable SSLv2 ## Set strong ciphers SSLCipherSpec 3A SSLCipherSpec 34 SSLCipherSpec 35 |
| SSL0320I: Using Version 3 Cipher: SSL_RSA_WITH_3DES_EDE_CBC_SHA(3A) SSL0320I: Using Version 3 Cipher: SSL_RSA_WITH_RC4_128_MD5(34) SSL0320I: Using Version 3 Cipher: SSL_RSA_WITH_RC4_128_SHA(35) |
Cause
The security scanner tool was accessing data from the firewall.
Resolving the problem
Your GSKit trace shows many successful handshakes which were all for the 3DES ciphers (SSL_RSA_WITH_3DES_EDE_CBC_SHA(3A)).
The connection requests from the scan test tool does not access the IBM HTTP Server directly. It is possible that the scanner software accesses a front-end server in the network with a firewall, load balancer, proxy server, and so on, which is willing to accept weak ciphers and then connect to IBM HTTP Server using 3DES.
After you ran the test tool locally on the IBM HTTP Server, without any intervening servers, it was determined that the report was getting data from the firewall. After the firewall was corrected, the problem was resolved.
The connection requests from the scan test tool does not access the IBM HTTP Server directly. It is possible that the scanner software accesses a front-end server in the network with a firewall, load balancer, proxy server, and so on, which is willing to accept weak ciphers and then connect to IBM HTTP Server using 3DES.
After you ran the test tool locally on the IBM HTTP Server, without any intervening servers, it was determined that the report was getting data from the firewall. After the firewall was corrected, the problem was resolved.
댓글 없음:
댓글 쓰기