Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

Weak SSL ciphers on Unity 5.0 server during a security scan

Hello,

We received informaition from our security team when they did a scan on our Unity server...."the remote host supports the use of SSL ciphers that offer weak encryption or no encryption at all"  I have found some articles on the web (Microsoft) to edit the registry key so that nothing lower than 128 bit encryption is accepted. I am looking for a Cisco paper to agree or disagree with this...can anyone help?

Thank you.

3 REPLIES

Re: Weak SSL ciphers on Unity 5.0 server during a security scan

So, this isn't an uncommon security alert when you have your system scanned.  One thing to keep in mind is the placement of your server and who/what it is accessed for.  In any case, you're not likely to find a Cisco doc that references this specifically.  Instead, if you really want to move forward with making the appropriate registry changes then you'll want to open a TAC case and find out if this is supported or not.  In terms of further info on your issue:

There is a McAfee article about making websites more secure.  It is here:  http://www.codeproject.com/KB/aspnet/MakeWebsiteMcAfeeSecured.aspx

Your alert is referenced as follows:

Vulnerability Name:  Weak Supported SSL Ciphers Suites

Description

The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all. This vulnerability is valid for all SSL/TLS sessions that are passing sensitive information.
PCI defines strong cryptography, for secret key based systems, as anything above 80 bit encryption.

Solution

The solution to this is very simple but requires registry tweak again. Following are the steps:

  • Click Start, click Run, type regedt32 or type regedit, and then click OK.
  • In Registry Editor, locate the following registry key:
    HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders 
                                  \SCHANNEL\Ciphers 
    Fig6.png
  • Under the Cipher key, there are several Ciphers.
  • Locate the ciphers which have encryption less than 128 bit.
  • Create DWORD values named Enabled and Value 0 for each of them, just as the previous case.
  • For convenience, I have marked them with red arrows in the picture above.
  • System Restart is NOT required for this.

Now the server is secured.
The above mentioned security issues are the major ones that most of the systems have. However other than this, there may be some easy and minor vulnerabilities like:

  • Using robots.txt in the pages. (Generally inserted by Web Marketing team to track user hit).
  • Directory Scanner: Common directories are revealed. This can be resolved by URL rewriting and setting “Directory Browsing” off.

Note: For the above vulnerabilities, minor registry tweaks will be necessary. So it is strongly recommended to back up the registry before doing anything. By any chance if something gets messed up, just delete the SCHANNEL key and restart the machine, the key will be auto-generated.

Hailey

Please rate helpful posts!

New Member

Weak SSL ciphers on Unity 5.0 server during a security scan

Hello,

   I am in the same boat, our security team also ran the security scan on Unity connection 7.1(5b)su4 that says..."This host supports the use of SSL Ciphers that offer medium strength encryption, which we currently regards as those with key length 56 bits and less than 112 bits"

I’ll highly appreciate if you can give some pointers of your solution...

Thanks.

New Member

Same with even Unity 10..Jeff

Same with even Unity 10..

Jeff

789
Views
0
Helpful
3
Replies
CreatePlease to create content