search cancel

SSL Anonymous Cipher Suites Discovery


Article ID: 50006


Updated On:


CA eHealth



When user performs a security test to eHealth 6.2 and the following vulnerability is reported:

SSL Anonymous Cipher Suites Discovery

The eHealth host supports the use of anonymous SSL ciphers. While this enables an administrator to set up a service that encrypts traffic without having to generate and configure SSL certificates, it offers no way to verify the remote host's identity and renders the service vulnerable to a man-in-the-middle attack.


eHealth's SSL configuration does provide the disable of SSLv2 if it is a concern, user should enable this feature during SSL configuration in eHealth.

If user reads the 'CA eHealth, Command and Environment Variables Reference Guide', user will find the method for disabling SSLv2.

  1. SSL Version 2 (v2) Protocol Detection
  2. SSL Anonymous Cipher Suites Discovery

To disable support for all SSL version 2.0 ciphers and specify that only SSL version 3.0 ciphers are supported, run the command nhWebProtocol with the -disableSSLv2 parameter. For example:

nhWebProtocol -mode https -hostname -disableSSLv2

If the customer had previously configured SSL without specifying -disableSSLv2, the command would need to be run again.

The 'nhWebProtocol -disableSSLv2' command generates the parameter:

SSLCipherSuite ALL

In order to address SSL anonymous ciphers & medium & weak ciphers, the parameter should be the following (as recommended at


However, in the latest eHealth to date 6.2.2 there is no mechanism to generate SSLCipherSuite with the options listed, but this will be an enhancement for future releases.


Component: EHWEB