on 04-06-2012 1:40 AM
Hi,
We've setup Web Dispatcher 7.20 on Windows 2008 server. We are using Web Dispatcher to load balance J2EE App Servers and using end-to-end SSL. Our enterprise security team ran a scan with the web dispatcher URL and identified weak ciphers. The remediation proposed is to disable weak ciphers on the windows registry.
Using "note 1648045 - Remove particular Ciphers from the Cipher Suite", we've removed the weak ciphers in App Servers (Visual Administator -> Dispatcher -> SSL Provider -> Cipher Suite) and if we run a check with app server URL, then these weak ciphers are listed as 'Unsupported' which is good. However, our security team is using the web dispatcher URL and web dispatcher is probably picking up these ciphers from Windows Registry. THCSSLCheck.exe is reporting the following ciphers as weak.
We've disabled these ciphers in windows registry but THCSSLCheck.exe is still reporting them. Any idea how to resolve this issue?
THCSSLCheck.exe <Web Dispatcher Host> <Web Dispatcher Port>
------------------------------------------------------------------------
THCSSLCheck v0.1 - coding johnny cyberpunk (www.thc.org) 2004
------------------------------------------------------------------------
[*] testing if port is up. pleaze wait...
[*] port is up !
[*] testing if service speaks SSL ...
[*] service speaks SSL !
[*] now testing SSLv2
----------------------------------------------------------------------
DES-CBC3-MD5 - 168 Bits - unsupported
IDEA-CBC-MD5 - 128 Bits - unsupported
RC2-CBC-MD5 - 128 Bits - unsupported
RC4-MD5 - 128 Bits - unsupported
RC4-64-MD5 - 64 Bits - unsupported
DES-CBC-MD5 - 56 Bits - unsupported
EXP-RC2-CBC-MD5 - 40 Bits - unsupported
EXP-RC4-MD5 - 40 Bits - unsupported
[*] now testing SSLv3
----------------------------------------------------------------------
DHE-RSA-AES256-SHA - 256 Bits - unsupported
DHE-DSS-AES256-SHA - 256 Bits - unsupported
AES256-SHA - 256 Bits - supported
EDH-RSA-DES-CBC3-SHA - 168 Bits - unsupported
EDH-DSS-DES-CBC3-SHA - 168 Bits - unsupported
DES-CBC3-SHA - 168 Bits - supported
DHE-RSA-AES128-SHA - 128 Bits - unsupported
DHE-DSS-AES128-SHA - 128 Bits - unsupported
AES128-SHA - 128 Bits - supported
IDEA-CBC-SHA - 128 Bits - unsupported
DHE-DSS-RC4-SHA - 128 Bits - unsupported
RC4-SHA - 128 Bits - supported
RC4-MD5 - 128 Bits - supported
EXP1024-DHE-DSS-DES-CBC-SHA - 56 Bits - unsupported
EXP1024-DES-CBC-SHA - 56 Bits - unsupported
EXP1024-RC2-CBC-MD5 - 56 Bits - unsupported
EDH-RSA-DES-CBC-SHA - 56 Bits - unsupported
EDH-DSS-DES-CBC-SHA - 56 Bits - unsupported
DES-CBC-SHA - 56 Bits - supported
EXP1024-DHE-DSS-RC4-SHA - 56 Bits - unsupported
EXP1024-RC4-SHA - 56 Bits - unsupported
EXP1024-RC4-MD5 - 56 Bits - unsupported
EXP-EDH-RSA-DES-CBC-SHA - 40 Bits - unsupported
EXP-EDH-DSS-DES-CBC-SHA - 40 Bits - unsupported
EXP-DES-CBC-SHA - 40 Bits - supported
EXP-RC2-CBC-MD5 - 40 Bits - supported
EXP-RC4-MD5 - 40 Bits - supported
[*] now testing TLSv1
----------------------------------------------------------------------
DHE-RSA-AES256-SHA - 256 Bits - unsupported
DHE-DSS-AES256-SHA - 256 Bits - unsupported
AES256-SHA - 256 Bits - supported
EDH-RSA-DES-CBC3-SHA - 168 Bits - unsupported
EDH-DSS-DES-CBC3-SHA - 168 Bits - unsupported
DES-CBC3-SHA - 168 Bits - supported
DHE-RSA-AES128-SHA - 128 Bits - unsupported
DHE-DSS-AES128-SHA - 128 Bits - unsupported
AES128-SHA - 128 Bits - supported
IDEA-CBC-SHA - 128 Bits - unsupported
DHE-DSS-RC4-SHA - 128 Bits - unsupported
RC4-SHA - 128 Bits - supported
RC4-MD5 - 128 Bits - supported
EXP1024-DHE-DSS-DES-CBC-SHA - 56 Bits - unsupported
EXP1024-DES-CBC-SHA - 56 Bits - unsupported
EXP1024-RC2-CBC-MD5 - 56 Bits - unsupported
EDH-RSA-DES-CBC-SHA - 56 Bits - unsupported
EDH-DSS-DES-CBC-SHA - 56 Bits - unsupported
DES-CBC-SHA - 56 Bits - supported
EXP1024-DHE-DSS-RC4-SHA - 56 Bits - unsupported
EXP1024-RC4-SHA - 56 Bits - unsupported
EXP1024-RC4-MD5 - 56 Bits - unsupported
EXP-EDH-RSA-DES-CBC-SHA - 40 Bits - unsupported
EXP-EDH-DSS-DES-CBC-SHA - 40 Bits - unsupported
EXP-DES-CBC-SHA - 40 Bits - supported
EXP-RC2-CBC-MD5 - 40 Bits - supported
EXP-RC4-MD5 - 40 Bits - supported
Thanks
Ram
Hi,
As you use end-to-en SSL, you have actually deactivated the weak cyphers but the test is done on the web dispatcher, so you have to deactivate also the weak cypers from the web dispatcher.
For this, set parameter ssl/ciphersuites in the web dispatcher profile file.
for exemple :
ssl/ciphersuites=129:HIGH
gives this result :
--------------------------------------------------------------
THCSSLCheck v0.1 - coding johnny cyberpunk (www.thc.org) 2004
--------------------------------------------------------------
[*] testing if port is up. pleaze wait...
[*] port is up !
[*] testing if service speaks SSL ...
[*] service speaks SSL !
[*] now testing SSLv2
--------------------------------------------------------------
DES-CBC3-MD5 - 168 Bits - unsupported
IDEA-CBC-MD5 - 128 Bits - unsupported
RC2-CBC-MD5 - 128 Bits - unsupported
RC4-MD5 - 128 Bits - unsupported
RC4-64-MD5 - 64 Bits - unsupported
DES-CBC-MD5 - 56 Bits - unsupported
EXP-RC2-CBC-MD5 - 40 Bits - unsupported
EXP-RC4-MD5 - 40 Bits - unsupported
[*] now testing SSLv3
--------------------------------------------------------------
DHE-RSA-AES256-SHA - 256 Bits - unsupported
DHE-DSS-AES256-SHA - 256 Bits - unsupported
AES256-SHA - 256 Bits - unsupported
EDH-RSA-DES-CBC3-SHA - 168 Bits - unsupported
EDH-DSS-DES-CBC3-SHA - 168 Bits - unsupported
DES-CBC3-SHA - 168 Bits - unsupported
DHE-RSA-AES128-SHA - 128 Bits - unsupported
DHE-DSS-AES128-SHA - 128 Bits - unsupported
AES128-SHA - 128 Bits - unsupported
IDEA-CBC-SHA - 128 Bits - unsupported
DHE-DSS-RC4-SHA - 128 Bits - unsupported
RC4-SHA - 128 Bits - unsupported
RC4-MD5 - 128 Bits - unsupported
EXP1024-DHE-DSS-DES-CBC-SHA - 56 Bits - unsupported
EXP1024-DES-CBC-SHA - 56 Bits - unsupported
EXP1024-RC2-CBC-MD5 - 56 Bits - unsupported
EDH-RSA-DES-CBC-SHA - 56 Bits - unsupported
EDH-DSS-DES-CBC-SHA - 56 Bits - unsupported
DES-CBC-SHA - 56 Bits - unsupported
EXP1024-DHE-DSS-RC4-SHA - 56 Bits - unsupported
EXP1024-RC4-SHA - 56 Bits - unsupported
EXP1024-RC4-MD5 - 56 Bits - unsupported
EXP-EDH-RSA-DES-CBC-SHA - 40 Bits - unsupported
EXP-EDH-DSS-DES-CBC-SHA - 40 Bits - unsupported
EXP-DES-CBC-SHA - 40 Bits - unsupported
EXP-RC2-CBC-MD5 - 40 Bits - unsupported
EXP-RC4-MD5 - 40 Bits - unsupported
[*] now testing TLSv1
--------------------------------------------------------------
DHE-RSA-AES256-SHA - 256 Bits - unsupported
DHE-DSS-AES256-SHA - 256 Bits - unsupported
AES256-SHA - 256 Bits - supported
EDH-RSA-DES-CBC3-SHA - 168 Bits - unsupported
EDH-DSS-DES-CBC3-SHA - 168 Bits - unsupported
DES-CBC3-SHA - 168 Bits - supported
DHE-RSA-AES128-SHA - 128 Bits - unsupported
DHE-DSS-AES128-SHA - 128 Bits - unsupported
AES128-SHA - 128 Bits - supported
IDEA-CBC-SHA - 128 Bits - unsupported
DHE-DSS-RC4-SHA - 128 Bits - unsupported
RC4-SHA - 128 Bits - unsupported
RC4-MD5 - 128 Bits - unsupported
EXP1024-DHE-DSS-DES-CBC-SHA - 56 Bits - unsupported
EXP1024-DES-CBC-SHA - 56 Bits - unsupported
EXP1024-RC2-CBC-MD5 - 56 Bits - unsupported
EDH-RSA-DES-CBC-SHA - 56 Bits - unsupported
EDH-DSS-DES-CBC-SHA - 56 Bits - unsupported
DES-CBC-SHA - 56 Bits - unsupported
EXP1024-DHE-DSS-RC4-SHA - 56 Bits - unsupported
EXP1024-RC4-SHA - 56 Bits - unsupported
EXP1024-RC4-MD5 - 56 Bits - unsupported
EXP-EDH-RSA-DES-CBC-SHA - 40 Bits - unsupported
EXP-EDH-DSS-DES-CBC-SHA - 40 Bits - unsupported
EXP-DES-CBC-SHA - 40 Bits - unsupported
EXP-RC2-CBC-MD5 - 40 Bits - unsupported
EXP-RC4-MD5 - 40 Bits - unsupported
Regards,
Olivier
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
94 | |
11 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.