WCS Ver 6 SSl vulnerability

Unanswered Question
May 4th, 2010
User Badges:

I am getting an audit result of my Windows based WCS 6 server, the following error must be corrected, and several others are notificaton only at present, but they may be increased in the future:


(Moderate risk)

IETF X.509 Certificate Signature Collision Vulnerability


(Attention)

Web Server Supports Weak SSL Encryption Certificates
TLS/SSL/X.509 Certificate All Fields Enumeration
SSL/TLS X.509 Certificate Server Name Mismatch


Now, I cannot get a signed certificate. (I had to beg to get the money for a cert on the WLC box)  If I create a self signed certificate (OpenSSL) will that eliminate the audit points, or is there some other error in the SSL implementation that cannot be changed?  I am not an expert at this, so I don't want to screw around with the certificates unless I know it will work without breaking my system.


Thanks,

Gene

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
GENE MCTIERNAN Tue, 05/04/2010 - 14:33
User Badges:

It is an audit conducted by our Internet Security folks against the server, not any result from the system itself.  They probe the system, and those were the results they got.

Lucien Avramov Tue, 05/04/2010 - 14:56
User Badges:
  • Red, 2250 points or more

By default, WCS presents a self-signed certificate unless you change that with a third party cert.

It's an apache tomcat webserver, that can use a signed cert or self signed cert.

GENE MCTIERNAN Tue, 05/04/2010 - 15:07
User Badges:

Yes, but if I provide a self signed certificate, will that eliminate the vulnerability, or is that inherent in the version of Apache used?

Actions

This Discussion

 

 

Trending Topics - Security & Network