SSL Vulnerabilities

Home » CentOS » SSL Vulnerabilities
CentOS 4 Comments

Hi,

Following 2 vulnerabilities were detected in VA scan required for PCI
compliance:

1. SSL Weak Cipher Suites Supported
2. SSL Medium Strength Cipher Suites Supported

I’m using CentOS 5.8 with open ssl version “openssl-0.9.8e-22.el5_8.4”. Any idea how to get rid of this?

Thanks, Anumeha

4 thoughts on - SSL Vulnerabilities

  • This is a multi-part message in MIME format.
    ————–080507010903020604090209
    Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable

    Are you using SSL /https?
    If so, edit the SSL settings to remove the offending ciphers. Where else are you using SSL – check configs for ciphers supported. Edit to taste. HTH

    ————–080507010903020604090209

  • Am 31.07.2013 10:52, schrieb Anumeha Prasad:

    You have far more security issues with your system than just providing weak SSL ciphers, because you are not up to date. The current CentOS 5
    minor release is 9 with a fair amount of additional bug and security updates.

    Update ASAP (`yum update’).

    Alexander

  • Thank you all.

    I edited Connector node in server.xml file for my tomcat installation to include below cipher code:

    ciphers=”SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA”

    This should remove the “Weak Cipher Suites” compliance error for Tomcat in the VA scan.

    Had to do this I was unable to find the ssl.conf file.

    Thanks, Anumeha

LEAVE A COMMENT