Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Weak Encryption - SSL Module

During a recent PCI compliance scan, 4 our our current SSL-Service(s) on the SSL module were scanned and came up with the "SSL Server Supports Weak Encryption Vulnerability". I have checked the configuration and all of our extranet web sites that are hosted on the CSM and have SSL termination at the SSL module appear the same. Also, the private key generated is a 1024 byte key pair. No defined ciphers are in the configuration at this time. Should there be? Is there a white paper on best practices for highest security using the SSL module. We will soon be migrating off to ACE modules, but with PCI compliance currently at hand, we have to mitigate this issue as soon as possible. Thanks.

2 REPLIES
Cisco Employee

Re: Weak Encryption - SSL Module

Configure an ssl policy to limit the cipher list.

Remove the weak ones and run your test again.

ssl-proxy(config-context)#policy ssl Ciphers

ssl-proxy(config-ctx-ssl-policy)#cipher ?

all All supported ciphers

all-export All export ciphers

all-strong All strong ciphers

rsa-exp-with-des40-cbc-sha rsa export with des40-sha

rsa-exp-with-rc4-40-md5 rsa export with rc4-md5

rsa-exp1024-with-des-cbc-sha rsa export1024 with des-sha

rsa-exp1024-with-rc4-56-md5 rsa export1024 with rc4-md5

rsa-exp1024-with-rc4-56-sha rsa export1024 with rc4-sha

rsa-with-3des-ede-cbc-sha rsa with 3des-sha

rsa-with-des-cbc-sha rsa with des-sha

rsa-with-null-md5 rsa with null-md5

rsa-with-rc4-128-md5 rsa with rc4-md5

rsa-with-rc4-128-sha rsa with rc4-sha

Gilles.

New Member

Re: Weak Encryption - SSL Module

Thanks for the quick response!!

I am a bit confused here....it appears that configuration that you are suggesting is for an ACE module. We are currently needing similar for SSL-Module (used in conjunction with CSM).

This is what I think I will be using:

bvlcoelablbrtr1-ssl(config)#ssl-proxy policy ssl Ciphers

bvlcoelabl(config-ssl-policy)#cipher rsa-with-rc4-128-md5

I am assuming that the default is to use all which on the SSL-Module includes the following (I believe that rsa with des-sha is the only weak encryption).

all All supported ciphers

rsa-with-3des-ede-cbc-sha rsa with 3des-sha

rsa-with-des-cbc-sha rsa with des-sha

rsa-with-rc4-128-md5 rsa with rc4-md5

rsa-with-rc4-128-sha rsa with rc4-sha

1924
Views
0
Helpful
2
Replies
CreatePlease to create content