cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2210
Views
0
Helpful
2
Replies

Weak Encryption - SSL Module

aanelso1
Level 1
Level 1

During a recent PCI compliance scan, 4 our our current SSL-Service(s) on the SSL module were scanned and came up with the "SSL Server Supports Weak Encryption Vulnerability". I have checked the configuration and all of our extranet web sites that are hosted on the CSM and have SSL termination at the SSL module appear the same. Also, the private key generated is a 1024 byte key pair. No defined ciphers are in the configuration at this time. Should there be? Is there a white paper on best practices for highest security using the SSL module. We will soon be migrating off to ACE modules, but with PCI compliance currently at hand, we have to mitigate this issue as soon as possible. Thanks.

2 Replies 2

Gilles Dufour
Cisco Employee
Cisco Employee

Configure an ssl policy to limit the cipher list.

Remove the weak ones and run your test again.

ssl-proxy(config-context)#policy ssl Ciphers

ssl-proxy(config-ctx-ssl-policy)#cipher ?

all All supported ciphers

all-export All export ciphers

all-strong All strong ciphers

rsa-exp-with-des40-cbc-sha rsa export with des40-sha

rsa-exp-with-rc4-40-md5 rsa export with rc4-md5

rsa-exp1024-with-des-cbc-sha rsa export1024 with des-sha

rsa-exp1024-with-rc4-56-md5 rsa export1024 with rc4-md5

rsa-exp1024-with-rc4-56-sha rsa export1024 with rc4-sha

rsa-with-3des-ede-cbc-sha rsa with 3des-sha

rsa-with-des-cbc-sha rsa with des-sha

rsa-with-null-md5 rsa with null-md5

rsa-with-rc4-128-md5 rsa with rc4-md5

rsa-with-rc4-128-sha rsa with rc4-sha

Gilles.

Thanks for the quick response!!

I am a bit confused here....it appears that configuration that you are suggesting is for an ACE module. We are currently needing similar for SSL-Module (used in conjunction with CSM).

This is what I think I will be using:

bvlcoelablbrtr1-ssl(config)#ssl-proxy policy ssl Ciphers

bvlcoelabl(config-ssl-policy)#cipher rsa-with-rc4-128-md5

I am assuming that the default is to use all which on the SSL-Module includes the following (I believe that rsa with des-sha is the only weak encryption).

all All supported ciphers

rsa-with-3des-ede-cbc-sha rsa with 3des-sha

rsa-with-des-cbc-sha rsa with des-sha

rsa-with-rc4-128-md5 rsa with rc4-md5

rsa-with-rc4-128-sha rsa with rc4-sha

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: