Weak Encryption - SSL Module

Unanswered Question
Jun 16th, 2009
User Badges:

During a recent PCI compliance scan, 4 our our current SSL-Service(s) on the SSL module were scanned and came up with the "SSL Server Supports Weak Encryption Vulnerability". I have checked the configuration and all of our extranet web sites that are hosted on the CSM and have SSL termination at the SSL module appear the same. Also, the private key generated is a 1024 byte key pair. No defined ciphers are in the configuration at this time. Should there be? Is there a white paper on best practices for highest security using the SSL module. We will soon be migrating off to ACE modules, but with PCI compliance currently at hand, we have to mitigate this issue as soon as possible. Thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Gilles Dufour Tue, 06/16/2009 - 07:44
User Badges:
  • Cisco Employee,

Configure an ssl policy to limit the cipher list.

Remove the weak ones and run your test again.



ssl-proxy(config-context)#policy ssl Ciphers


ssl-proxy(config-ctx-ssl-policy)#cipher ?

all All supported ciphers

all-export All export ciphers

all-strong All strong ciphers

rsa-exp-with-des40-cbc-sha rsa export with des40-sha

rsa-exp-with-rc4-40-md5 rsa export with rc4-md5

rsa-exp1024-with-des-cbc-sha rsa export1024 with des-sha

rsa-exp1024-with-rc4-56-md5 rsa export1024 with rc4-md5

rsa-exp1024-with-rc4-56-sha rsa export1024 with rc4-sha

rsa-with-3des-ede-cbc-sha rsa with 3des-sha

rsa-with-des-cbc-sha rsa with des-sha

rsa-with-null-md5 rsa with null-md5

rsa-with-rc4-128-md5 rsa with rc4-md5

rsa-with-rc4-128-sha rsa with rc4-sha


Gilles.

aanelso1 Tue, 06/16/2009 - 11:59
User Badges:

Thanks for the quick response!!


I am a bit confused here....it appears that configuration that you are suggesting is for an ACE module. We are currently needing similar for SSL-Module (used in conjunction with CSM).


This is what I think I will be using:


bvlcoelablbrtr1-ssl(config)#ssl-proxy policy ssl Ciphers

bvlcoelabl(config-ssl-policy)#cipher rsa-with-rc4-128-md5


I am assuming that the default is to use all which on the SSL-Module includes the following (I believe that rsa with des-sha is the only weak encryption).


all All supported ciphers

rsa-with-3des-ede-cbc-sha rsa with 3des-sha

rsa-with-des-cbc-sha rsa with des-sha

rsa-with-rc4-128-md5 rsa with rc4-md5

rsa-with-rc4-128-sha rsa with rc4-sha





Actions

This Discussion