ISSUE:
Customer runs security check on the environment and finds the following Vulnerabilities.
Cause
Vulnerability: SSL Medium Strength Cipher Suites Supported
Environment:
Reconfigure the affected application if possible to avoid use of medium strength ciphers.
NessusOutput:
Here is the list of medium strength SSL ciphers supported by the remote server :
Medium Strength Ciphers (>= 56-bit and < 112-bit key)
TLSv1
EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56)
Mac=SHA1
DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56)
Mac=SHA1
{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}
This change will make sure that the DES ciphers will not be used while communicating with CA Directory.
Resolution:
To resolve this issue, please do the following:
- Please open the file itechpoz.dxc file under: $DXHOME/config/ssld/itechpoz.dxc.
- Add: cipher = "kEDH:ALL:!ADH:!DES:!LOW:!EXPORT40:+SSLv2:@STRENGTH"
- You can check the default.dxc in the same folder to check for the cipher field which is commented by default.
- Before making the above change, please stop the dxserver and then start after making the above change.