Weak Encryption - SSL Module

Unanswered Question
Jun 16th, 2009

During a recent PCI compliance scan, 4 our our current SSL-Service(s) on the SSL module were scanned and came up with the "SSL Server Supports Weak Encryption Vulnerability". I have checked the configuration and all of our extranet web sites that are hosted on the CSM and have SSL termination at the SSL module appear the same. Also, the private key generated is a 1024 byte key pair. No defined ciphers are in the configuration at this time. Should there be? Is there a white paper on best practices for highest security using the SSL module. We will soon be migrating off to ACE modules, but with PCI compliance currently at hand, we have to mitigate this issue as soon as possible. Thanks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Gilles Dufour Tue, 06/16/2009 - 07:44

Configure an ssl policy to limit the cipher list.

Remove the weak ones and run your test again.

ssl-proxy(config-context)#policy ssl Ciphers

ssl-proxy(config-ctx-ssl-policy)#cipher ?

all All supported ciphers

all-export All export ciphers

all-strong All strong ciphers

rsa-exp-with-des40-cbc-sha rsa export with des40-sha

rsa-exp-with-rc4-40-md5 rsa export with rc4-md5

rsa-exp1024-with-des-cbc-sha rsa export1024 with des-sha

rsa-exp1024-with-rc4-56-md5 rsa export1024 with rc4-md5

rsa-exp1024-with-rc4-56-sha rsa export1024 with rc4-sha

rsa-with-3des-ede-cbc-sha rsa with 3des-sha

rsa-with-des-cbc-sha rsa with des-sha

rsa-with-null-md5 rsa with null-md5

rsa-with-rc4-128-md5 rsa with rc4-md5

rsa-with-rc4-128-sha rsa with rc4-sha

Gilles.

aanelso1 Tue, 06/16/2009 - 11:59

Thanks for the quick response!!

I am a bit confused here....it appears that configuration that you are suggesting is for an ACE module. We are currently needing similar for SSL-Module (used in conjunction with CSM).

This is what I think I will be using:

bvlcoelablbrtr1-ssl(config)#ssl-proxy policy ssl Ciphers

bvlcoelabl(config-ssl-policy)#cipher rsa-with-rc4-128-md5

I am assuming that the default is to use all which on the SSL-Module includes the following (I believe that rsa with des-sha is the only weak encryption).

all All supported ciphers

rsa-with-3des-ede-cbc-sha rsa with 3des-sha

rsa-with-des-cbc-sha rsa with des-sha

rsa-with-rc4-128-md5 rsa with rc4-md5

rsa-with-rc4-128-sha rsa with rc4-sha

Actions

This Discussion