SSL Server Allows Anonymous Authentication Vulnerability

Question

Good morning,&nbsp;
Kindly note security scan from Qualys returned the following vulnarability "SSL Server Allows Anonymous Authentication Vulnerability" while I'm using an SSL client profile with non default cipher  only "TLSv1_2" is enabled.
Can somebody provide solution to close this vulnarability and disable null cipher.&nbsp;
Thanks in advance.&nbsp;
Best Regards,
Ralph El Habr&nbsp;

ashwin_venkat · Answer

That result from Qualys is pointing to the fact that you have anonymous cipher suites enabled, and with cipher string you're using, that is due to ADH being enabled.

You can disable it by appending ':!ADH' to your existing cipher string and I'd go one step further to also disable other weaker ones like RC4, DE &amp; 3DES.  Therefore, the following cipher string disables all those weaker ones:
  TLSv1_2:!ADH:!DES:!3DES:!RC4

Please let me know if you have any questions.

Forum Discussion

SSL Server Allows Anonymous Authentication Vulnerability

1 Reply

Recent Discussions

SMS server with BIGIP

F5 terminal - help to run commands - disk space full

Can iRule be used to perform exception of IPI category based on Geolocation

[ASM] - what is "Browser Challange file" ?

LDAPS and renegotiation

Related Content

Anonymous DDOS Tools 2016

Dealing with DDoS threats by KillNet, Anonymous Sudan and REvil

F5 BIG-IP Access Policy Manager (APM) - Google Authenticator and Microsoft Authenticator

Doing mTLS Authentication per URL

OWASP Automated Threats - OAT-014 Vulnerability Scanning