Description:

When user doing a security test to eHealth 6.2 and the following vulnerability is reported:

SSL Version 2 (v2) Protocol Detection

The eHealth service accepts connections encrypted using SSL 2.0, which reportedly suffers from several cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients.

Solution:

eHealth's SSL configuration does provide the disable of SSLv2 if it is a concern, user should enable this feature during SSL configuration in eHealth.

If user read the 'CA eHealth, Command and Environment Variables Reference Guide', user will find the method for disabling SSLv2.

1. SSL Version 2 (v2) Protocol Detection
   
   
2. SSL Anonymous Cipher Suites Discovery
   
   To disable support for all SSL version 2.0 ciphers and specify that only SSL version 3.0 ciphers are supported, run the command nhWebProtocol with the -disableSSLv2 parameter. For example:
   
   nhWebProtocol -mode https -hostname abc.ca.com -disableSSLv2
   
   If user had previously configured SSL without specifying -disableSSLv2, the command would need to be run again.
   
   The 'nhWebProtocol -disableSSLv2' command generates the parameter:

     SSLCipherSuite ALL   

   In order to address SSL anonymous ciphers & medium & weak ciphers, the parameter should be the following (as recommended at http://blog.techstacks.com/2008/08/apache-configuration-and-pci-compliance_18.html)

        SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

   However, in the latest eHealth to date 6.2.2, there is no mechanism to generate SSLCipherSuite with the options listed, but this will be an enhancement for future releases.