Can I turn off self assign SSL certs on Cisco 5520?

whiteford · ‎02-21-2008

Hi, we have just upgraded our Cisco Pix to a Cisco ASA 5520. I ran a security scan against the ASA's Outside IP and it came back with 2 vulnerabilities which I've pasted below. Should these be picked externally if not what should I check?

SSL Certificate - Self-Signed Certificate

THREAT:

An SSL Certificate associates an entity (person, organization, host, etc.) with a Public Key. In an SSL connection, the client authenticates the remote server using the server's Certificate and extracts the Public Key in the Certificate to establish the secure connection.

The client can trust that the Server Certificate belongs the server only if it is signed by a mutually trusted third-party Certificate Authority (CA). Self-signed certificates are created generally for testing purposes or to avoid paying third-party CAs. These should not be used on any production or critical servers.

By exploiting this vulnerability, an attacker can impersonate the server by presenting a fake self-signed certificate. If the client knows that the server does not have a trusted certificate, it will accept this spoofed certificate and communicate with the remote server.

IMPACT:

By exploiting this vulnerability, an attacker can launch a man-in-the-middle attack.

SOLUTION:

Please install a server certificate signed by a trusted third-party Certificate Authority.

SSL Certificate - Signature Verification Failed Vulnerability

THREAT:

An SSL Certificate associates an entity (person, organization, host, etc.) with a Public Key. In an SSL connection, the client authenticates the remote server using the server's Certificate and extracts the Public Key in the Certificate to establish the secure connection. The authentication is done by verifying that the public key in the certificate is signed by a trusted third-party Certificate Authority.

If a client is unable to verify the certificate, it can abort communication or prompt the user to continue the communication without authentication.

IMPACT:

By exploiting this vulnerability, man-in-the-middle attacks in tandem with DNS cache poisoning can occur.

Exception:

If the server communicates only with a restricted set of clients who have the server certificate or the trusted CA certificate, then the server or CA certificate may not be available publicly, and the scan will be unable to verify the signature.

SOLUTION:

Please install a server certificate signed by a trusted third-party Certificate Authority.

vkapoor5 · ‎02-27-2008

You can turn off sslv2 and enable sslv3 may solve the problem.

1salvarez · ‎01-03-2011

I'm having the same issue. Did this work or does anyone have any other suggestions?

1salvarez · ‎01-06-2011

We had an ASV do a vulnerability scan. They use Qualys.

lcaruso · ‎01-06-2011

Thanks for that.

lcaruso · ‎01-04-2011

If you don't mind my asking, which tool did you scan with? I'd like to try it out.

Jason Gervia · ‎01-04-2011

There's no way to turn off the self signed certificates.

However, if you disable ASDM access (by using 'no http server enable') and you're not using webvpn (which would use certificates), then SSL would no longer be used and you would no longer be running into this vulnerability.

However, if you want ASDM access, you have to enable the http server and SSL, and if you are using a self signed certificate at that point, you would still have this issue.

The other option, of course, is to obtain a 3rd party certificate.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808b3cff.shtml

Jason Gervia · ‎01-04-2011

And disabling http access from whatever interface is being scanned would also work as well.

--Jason