2 posts / 0 new
Last post
#1 Fri, 06/26/2009 - 22:33
katir

SSL

We are facing some hard pressures from banks, they will starting fining merchants in November for vulnerablities. One issue we see I do not understand:

5 Synopsis : The remote service supports the use of anonymous SSL ciphers. Description : The remote host supports the use of anonymous SSL ciphers. While this enables an administrator to set up a service that encrypts traffic without having to generate and configure SSL certificates, it offers no way to verify the remote host's identity and renders the service vulnerable to a man-in-the-middle attack. See also : http://www.openssl.org/docs/apps/ciphers .html Solution: Reconfigure the affected application if possible to avoid use of weak ciphers. Risk Factor: Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) [More] [Hide]

can anyone help, one solution is to only allow ssl3, and TLS1 protocols for encryption. Can we tweak this in Virtual Min UI or not?

Fri, 06/26/2009 - 23:51
andreychek

Yeah, by default, many daemons allow some protocols that the folks performing security scans consider to be insecure.

What to do to resolve it depends on what daemon you're trying to configure.

If we're talking about Apache, and you're just looking to restrict traffic to SSL3 and TLS1, you can choose an SSL-enabled Virtual Server, and go into Services -> Configure Website -> SSL Options, and select which protocols you wish to enable in "SSL protocols".

-Eric

Topic locked