Forum Discussion

S_Meulmeester's avatar
Sep 11, 2019

Vulnerability SSL Medium Strength Cipher Suites Supported

From the PCI audit I get the following: Vulnerability SSL Medium Strength Cipher Suites Supported

Currently the following is configured:

list sys httpd

sys httpd {

    auth-pam-idle-timeout 2400

    ssl-ciphersuite HIGH:!ADH

    ssl-protocol TLSv1.2

Would it be correct to change this to

modify /sys httpd ssl-ciphersuite 'ALL:!ADH:!EXPORT:!eNULL:!MD5:!DES:!SSLv2:-TLSv1:-SSLv3:RC4-SHA'

 

or do I need other settings ?

4 Replies

  • Hi,

     

    I suppose it's for mgmt service:

     

    you have many example here:

     

    https://httpd.apache.org/docs/trunk/ssl/ssl_howto.html

     

    How to create an SSL server that only accepts strong encryption?

     

    SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

     

    How to create a server that accepts many types of encryption in general, but requires strong encryption to access a particular URL?

     

    SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

     

    you can also refine as you go...

     

    You confirm that it's for the management interface?

     

    regards

  • ​Hi, I confirm it is the management interface  so would the following configuration solve the problem of Medium Strength Cipher Suites " modify /sys httpd ssl-ciphersuite 'ALL:!ADH:!EXPORT:!eNULL:!MD5:!DES:!SSLv2:-TLSv1:-SSLv3:RC4-SHA'  OR modify /sys httpd ssl-ciphersuite HIGH OR .... something else.

    I want the highest (strongest  ciphersuite/level of security.

  • Hi,

     

    There is a solution, get rid of all the low and medium level ciphers from apache conf file.

    Try this first, it can fix your problem:

     

    TLSv1.2+HIGH:!aNULL:!eNULL

     

    Keep me in touch.

     

     

  • ​Hi,

    TLSv1.2+HIGH:!aNULL:!eNULL  didn't help, I know configured 

    modify /sys httpd ssl-ciphersuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES128-SHA256:AES256-SHA256"