Hi,

We've setup Web Dispatcher 7.20 on Windows 2008 server. We are using Web Dispatcher to load balance J2EE App Servers and using end-to-end SSL. Our enterprise security team ran a scan with the web dispatcher URL and identified weak ciphers. The remediation proposed is to disable weak ciphers on the windows registry.

Using "note 1648045 - Remove particular Ciphers from the Cipher Suite", we've removed the weak ciphers in App Servers (Visual Administator -> Dispatcher -> SSL Provider -> Cipher Suite) and if we run a check with app server URL, then these weak ciphers are listed as 'Unsupported' which is good. However, our security team is using the web dispatcher URL and web dispatcher is probably picking up these ciphers from Windows Registry. THCSSLCheck.exe is reporting the following ciphers as weak.

• SSL_RSA_WITH_DES_CBC_SHA
• SSL_RSA_EXPORT_WITH_RC4_40_MD5
• SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5

We've disabled these ciphers in windows registry but THCSSLCheck.exe is still reporting them. Any idea how to resolve this issue?

THCSSLCheck.exe <Web Dispatcher Host> <Web Dispatcher Port>

------------------------------------------------------------------------
THCSSLCheck v0.1 - coding johnny cyberpunk (www.thc.org) 2004
------------------------------------------------------------------------

[*] testing if port is up. pleaze wait...
[*] port is up !
[*] testing if service speaks SSL ...
[*] service speaks SSL !

[*] now testing SSLv2
----------------------------------------------------------------------
                  DES-CBC3-MD5 - 168 Bits - unsupported
                  IDEA-CBC-MD5 - 128 Bits - unsupported
                   RC2-CBC-MD5 - 128 Bits - unsupported
                       RC4-MD5 - 128 Bits - unsupported
                    RC4-64-MD5 -  64 Bits - unsupported
                   DES-CBC-MD5 -  56 Bits - unsupported
               EXP-RC2-CBC-MD5 -  40 Bits - unsupported
                   EXP-RC4-MD5 -  40 Bits - unsupported

[*] now testing SSLv3
----------------------------------------------------------------------
            DHE-RSA-AES256-SHA - 256 Bits - unsupported
            DHE-DSS-AES256-SHA - 256 Bits - unsupported
                    AES256-SHA - 256 Bits -   supported
          EDH-RSA-DES-CBC3-SHA - 168 Bits - unsupported
          EDH-DSS-DES-CBC3-SHA - 168 Bits - unsupported
                  DES-CBC3-SHA - 168 Bits -   supported
            DHE-RSA-AES128-SHA - 128 Bits - unsupported
            DHE-DSS-AES128-SHA - 128 Bits - unsupported
                    AES128-SHA - 128 Bits -   supported
                  IDEA-CBC-SHA - 128 Bits - unsupported
               DHE-DSS-RC4-SHA - 128 Bits - unsupported
                       RC4-SHA - 128 Bits -   supported
                       RC4-MD5 - 128 Bits -   supported
   EXP1024-DHE-DSS-DES-CBC-SHA -  56 Bits - unsupported
           EXP1024-DES-CBC-SHA -  56 Bits - unsupported
           EXP1024-RC2-CBC-MD5 -  56 Bits - unsupported
           EDH-RSA-DES-CBC-SHA -  56 Bits - unsupported
           EDH-DSS-DES-CBC-SHA -  56 Bits - unsupported
                   DES-CBC-SHA -  56 Bits -   supported
       EXP1024-DHE-DSS-RC4-SHA -  56 Bits - unsupported
               EXP1024-RC4-SHA -  56 Bits - unsupported
               EXP1024-RC4-MD5 -  56 Bits - unsupported
       EXP-EDH-RSA-DES-CBC-SHA -  40 Bits - unsupported
       EXP-EDH-DSS-DES-CBC-SHA -  40 Bits - unsupported
               EXP-DES-CBC-SHA -  40 Bits -   supported
               EXP-RC2-CBC-MD5 -  40 Bits -   supported
                   EXP-RC4-MD5 -  40 Bits -   supported

[*] now testing TLSv1
----------------------------------------------------------------------
            DHE-RSA-AES256-SHA - 256 Bits - unsupported
            DHE-DSS-AES256-SHA - 256 Bits - unsupported
                    AES256-SHA - 256 Bits -   supported
          EDH-RSA-DES-CBC3-SHA - 168 Bits - unsupported
          EDH-DSS-DES-CBC3-SHA - 168 Bits - unsupported
                  DES-CBC3-SHA - 168 Bits -   supported
            DHE-RSA-AES128-SHA - 128 Bits - unsupported
            DHE-DSS-AES128-SHA - 128 Bits - unsupported
                    AES128-SHA - 128 Bits -   supported
                  IDEA-CBC-SHA - 128 Bits - unsupported
               DHE-DSS-RC4-SHA - 128 Bits - unsupported
                       RC4-SHA - 128 Bits -   supported
                       RC4-MD5 - 128 Bits -   supported
   EXP1024-DHE-DSS-DES-CBC-SHA -  56 Bits - unsupported
           EXP1024-DES-CBC-SHA -  56 Bits - unsupported
           EXP1024-RC2-CBC-MD5 -  56 Bits - unsupported
           EDH-RSA-DES-CBC-SHA -  56 Bits - unsupported
           EDH-DSS-DES-CBC-SHA -  56 Bits - unsupported
                   DES-CBC-SHA -  56 Bits -   supported
       EXP1024-DHE-DSS-RC4-SHA -  56 Bits - unsupported
               EXP1024-RC4-SHA -  56 Bits - unsupported
               EXP1024-RC4-MD5 -  56 Bits - unsupported
       EXP-EDH-RSA-DES-CBC-SHA -  40 Bits - unsupported
       EXP-EDH-DSS-DES-CBC-SHA -  40 Bits - unsupported
               EXP-DES-CBC-SHA -  40 Bits -   supported
               EXP-RC2-CBC-MD5 -  40 Bits -   supported
                   EXP-RC4-MD5 -  40 Bits -   supported

Thanks

Ram