Sunday, May 8, 2016

ssl - Server has "weak cipher setting" according to security audit, replaced offending cipher TLS_RSA_WITH_3DES_EDE_CBC_SHA, but still failing retest audit?



We received an audit from our local cyber security team in which one of our servers displays "Insufficient Transport Layer Protection".



According to their description:



"
DESCRIPTION:
The server supports the following weak ciphers:





  • TLS_RSA_WITH_3DES_EDE_CBC_SHA [0x0a] RSA 3DES 168



    These ciphers are known to have cryptographic weaknesses that make them unsuitable for use in SSL/TLS.
    "




The solution they've provided are as follows:



"

SOLUTION: We recommend disabling support for the export and null cipher suites, as well as cipher suites using RC4/3DES. Instead, we suggest AES128-SHA for TLS 1.0 and 1.1, and AES128-GCM-SHA256 for TLS 1.2.
"



In an attempt to rectify this, this is what I have done so far:




  1. Run -> gpedit.msc -> Computer Configuration -> Administrative Templates -> Network -> SSL Configuration Settings

  2. Clicked on SSL Cipher Suite Order

  3. Clicked on radio button "Enabled"

  4. Replaced the string of supported cipher suites with this one:




    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,SSL_CK_DES_192_EDE3_CBC_WITH_MD5


  5. Rebooted server and ran retest using nmap utility application.




We ran a retest on our server, and it appears the vulnerability is still outgoing:



Image of nmap result



Our box is a Windows 2008 R2 server.




Is there another method on how to solve this issue?


Answer



the new cipher suite string you installed still has 3DES ciphers in it. Get rid of anything in the list with the word DES.


No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...