Skip to Content
avatar image
Former Member

Weak Ciphers - Web Dispatcher on Windows 2008 Server

Hi,

We've setup Web Dispatcher 7.20 on Windows 2008 server. We are using Web Dispatcher to load balance J2EE App Servers and using end-to-end SSL. Our enterprise security team ran a scan with the web dispatcher URL and identified weak ciphers. The remediation proposed is to disable weak ciphers on the windows registry.

Using "note 1648045 - Remove particular Ciphers from the Cipher Suite", we've removed the weak ciphers in App Servers (Visual Administator -> Dispatcher -> SSL Provider -> Cipher Suite) and if we run a check with app server URL, then these weak ciphers are listed as 'Unsupported' which is good. However, our security team is using the web dispatcher URL and web dispatcher is probably picking up these ciphers from Windows Registry. THCSSLCheck.exe is reporting the following ciphers as weak.

  • SSL_RSA_WITH_DES_CBC_SHA
  • SSL_RSA_EXPORT_WITH_RC4_40_MD5
  • SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5

We've disabled these ciphers in windows registry but THCSSLCheck.exe is still reporting them. Any idea how to resolve this issue?

THCSSLCheck.exe <Web Dispatcher Host> <Web Dispatcher Port>

------------------------------------------------------------------------
THCSSLCheck v0.1 - coding johnny cyberpunk (www.thc.org) 2004
------------------------------------------------------------------------

[*] testing if port is up. pleaze wait...
[*] port is up !
[*] testing if service speaks SSL ...
[*] service speaks SSL !


[*] now testing SSLv2
----------------------------------------------------------------------
                  DES-CBC3-MD5 - 168 Bits - unsupported
                  IDEA-CBC-MD5 - 128 Bits - unsupported
                   RC2-CBC-MD5 - 128 Bits - unsupported
                       RC4-MD5 - 128 Bits - unsupported
                    RC4-64-MD5 -  64 Bits - unsupported
                   DES-CBC-MD5 -  56 Bits - unsupported
               EXP-RC2-CBC-MD5 -  40 Bits - unsupported
                   EXP-RC4-MD5 -  40 Bits - unsupported


[*] now testing SSLv3
----------------------------------------------------------------------
            DHE-RSA-AES256-SHA - 256 Bits - unsupported
            DHE-DSS-AES256-SHA - 256 Bits - unsupported
                    AES256-SHA - 256 Bits -   supported
          EDH-RSA-DES-CBC3-SHA - 168 Bits - unsupported
          EDH-DSS-DES-CBC3-SHA - 168 Bits - unsupported
                  DES-CBC3-SHA - 168 Bits -   supported
            DHE-RSA-AES128-SHA - 128 Bits - unsupported
            DHE-DSS-AES128-SHA - 128 Bits - unsupported
                    AES128-SHA - 128 Bits -   supported
                  IDEA-CBC-SHA - 128 Bits - unsupported
               DHE-DSS-RC4-SHA - 128 Bits - unsupported
                       RC4-SHA - 128 Bits -   supported
                       RC4-MD5 - 128 Bits -   supported
   EXP1024-DHE-DSS-DES-CBC-SHA -  56 Bits - unsupported
           EXP1024-DES-CBC-SHA -  56 Bits - unsupported
           EXP1024-RC2-CBC-MD5 -  56 Bits - unsupported
           EDH-RSA-DES-CBC-SHA -  56 Bits - unsupported
           EDH-DSS-DES-CBC-SHA -  56 Bits - unsupported
                   DES-CBC-SHA -  56 Bits -   supported
       EXP1024-DHE-DSS-RC4-SHA -  56 Bits - unsupported
               EXP1024-RC4-SHA -  56 Bits - unsupported
               EXP1024-RC4-MD5 -  56 Bits - unsupported
       EXP-EDH-RSA-DES-CBC-SHA -  40 Bits - unsupported
       EXP-EDH-DSS-DES-CBC-SHA -  40 Bits - unsupported
               EXP-DES-CBC-SHA -  40 Bits -   supported
               EXP-RC2-CBC-MD5 -  40 Bits -   supported
                   EXP-RC4-MD5 -  40 Bits -   supported


[*] now testing TLSv1
----------------------------------------------------------------------
            DHE-RSA-AES256-SHA - 256 Bits - unsupported
            DHE-DSS-AES256-SHA - 256 Bits - unsupported
                    AES256-SHA - 256 Bits -   supported
          EDH-RSA-DES-CBC3-SHA - 168 Bits - unsupported
          EDH-DSS-DES-CBC3-SHA - 168 Bits - unsupported
                  DES-CBC3-SHA - 168 Bits -   supported
            DHE-RSA-AES128-SHA - 128 Bits - unsupported
            DHE-DSS-AES128-SHA - 128 Bits - unsupported
                    AES128-SHA - 128 Bits -   supported
                  IDEA-CBC-SHA - 128 Bits - unsupported
               DHE-DSS-RC4-SHA - 128 Bits - unsupported
                       RC4-SHA - 128 Bits -   supported
                       RC4-MD5 - 128 Bits -   supported
   EXP1024-DHE-DSS-DES-CBC-SHA -  56 Bits - unsupported
           EXP1024-DES-CBC-SHA -  56 Bits - unsupported
           EXP1024-RC2-CBC-MD5 -  56 Bits - unsupported
           EDH-RSA-DES-CBC-SHA -  56 Bits - unsupported
           EDH-DSS-DES-CBC-SHA -  56 Bits - unsupported
                   DES-CBC-SHA -  56 Bits -   supported
       EXP1024-DHE-DSS-RC4-SHA -  56 Bits - unsupported
               EXP1024-RC4-SHA -  56 Bits - unsupported
               EXP1024-RC4-MD5 -  56 Bits - unsupported
       EXP-EDH-RSA-DES-CBC-SHA -  40 Bits - unsupported
       EXP-EDH-DSS-DES-CBC-SHA -  40 Bits - unsupported
               EXP-DES-CBC-SHA -  40 Bits -   supported
               EXP-RC2-CBC-MD5 -  40 Bits -   supported
                   EXP-RC4-MD5 -  40 Bits -   supported

Thanks

Ram

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • Best Answer
    avatar image
    Former Member
    Apr 11, 2012 at 01:33 PM

    Hi,

    As you use end-to-en SSL, you have actually deactivated the weak cyphers but the test is done on the web dispatcher, so you have to deactivate also the weak cypers from the web dispatcher.

    For this, set parameter ssl/ciphersuites in the web dispatcher profile file.

    for exemple :

    ssl/ciphersuites=129:HIGH

    gives this result :

    --------------------------------------------------------------
    THCSSLCheck v0.1 - coding johnny cyberpunk (www.thc.org) 2004
    --------------------------------------------------------------

    [*] testing if port is up. pleaze wait...
    [*] port is up !
    [*] testing if service speaks SSL ...
    [*] service speaks SSL !


    [*] now testing SSLv2
    --------------------------------------------------------------
                      DES-CBC3-MD5 - 168 Bits - unsupported
                      IDEA-CBC-MD5 - 128 Bits - unsupported
                       RC2-CBC-MD5 - 128 Bits - unsupported
                           RC4-MD5 - 128 Bits - unsupported
                        RC4-64-MD5 -  64 Bits - unsupported
                       DES-CBC-MD5 -  56 Bits - unsupported
                   EXP-RC2-CBC-MD5 -  40 Bits - unsupported
                       EXP-RC4-MD5 -  40 Bits - unsupported


    [*] now testing SSLv3
    --------------------------------------------------------------
                DHE-RSA-AES256-SHA - 256 Bits - unsupported
                DHE-DSS-AES256-SHA - 256 Bits - unsupported
                        AES256-SHA - 256 Bits - unsupported
              EDH-RSA-DES-CBC3-SHA - 168 Bits - unsupported
              EDH-DSS-DES-CBC3-SHA - 168 Bits - unsupported
                      DES-CBC3-SHA - 168 Bits - unsupported
                DHE-RSA-AES128-SHA - 128 Bits - unsupported
                DHE-DSS-AES128-SHA - 128 Bits - unsupported
                        AES128-SHA - 128 Bits - unsupported
                      IDEA-CBC-SHA - 128 Bits - unsupported
                   DHE-DSS-RC4-SHA - 128 Bits - unsupported
                           RC4-SHA - 128 Bits - unsupported
                           RC4-MD5 - 128 Bits - unsupported
       EXP1024-DHE-DSS-DES-CBC-SHA -  56 Bits - unsupported
               EXP1024-DES-CBC-SHA -  56 Bits - unsupported
               EXP1024-RC2-CBC-MD5 -  56 Bits - unsupported
               EDH-RSA-DES-CBC-SHA -  56 Bits - unsupported
               EDH-DSS-DES-CBC-SHA -  56 Bits - unsupported
                       DES-CBC-SHA -  56 Bits - unsupported
           EXP1024-DHE-DSS-RC4-SHA -  56 Bits - unsupported
                   EXP1024-RC4-SHA -  56 Bits - unsupported
                   EXP1024-RC4-MD5 -  56 Bits - unsupported
           EXP-EDH-RSA-DES-CBC-SHA -  40 Bits - unsupported
           EXP-EDH-DSS-DES-CBC-SHA -  40 Bits - unsupported
                   EXP-DES-CBC-SHA -  40 Bits - unsupported
                   EXP-RC2-CBC-MD5 -  40 Bits - unsupported
                       EXP-RC4-MD5 -  40 Bits - unsupported


    [*] now testing TLSv1
    --------------------------------------------------------------
                DHE-RSA-AES256-SHA - 256 Bits - unsupported
                DHE-DSS-AES256-SHA - 256 Bits - unsupported
                        AES256-SHA - 256 Bits -   supported
              EDH-RSA-DES-CBC3-SHA - 168 Bits - unsupported
              EDH-DSS-DES-CBC3-SHA - 168 Bits - unsupported
                      DES-CBC3-SHA - 168 Bits -   supported
                DHE-RSA-AES128-SHA - 128 Bits - unsupported
                DHE-DSS-AES128-SHA - 128 Bits - unsupported
                        AES128-SHA - 128 Bits -   supported
                      IDEA-CBC-SHA - 128 Bits - unsupported
                   DHE-DSS-RC4-SHA - 128 Bits - unsupported
                           RC4-SHA - 128 Bits - unsupported
                           RC4-MD5 - 128 Bits - unsupported
       EXP1024-DHE-DSS-DES-CBC-SHA -  56 Bits - unsupported
               EXP1024-DES-CBC-SHA -  56 Bits - unsupported
               EXP1024-RC2-CBC-MD5 -  56 Bits - unsupported
               EDH-RSA-DES-CBC-SHA -  56 Bits - unsupported
               EDH-DSS-DES-CBC-SHA -  56 Bits - unsupported
                       DES-CBC-SHA -  56 Bits - unsupported
           EXP1024-DHE-DSS-RC4-SHA -  56 Bits - unsupported
                   EXP1024-RC4-SHA -  56 Bits - unsupported
                   EXP1024-RC4-MD5 -  56 Bits - unsupported
           EXP-EDH-RSA-DES-CBC-SHA -  40 Bits - unsupported
           EXP-EDH-DSS-DES-CBC-SHA -  40 Bits - unsupported
                   EXP-DES-CBC-SHA -  40 Bits - unsupported
                   EXP-RC2-CBC-MD5 -  40 Bits - unsupported
                       EXP-RC4-MD5 -  40 Bits - unsupported

    Regards,

    Olivier

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      This is great Oliver. Works like a charm. However I've used "HIGH:MEDIUM" as we want to support SSLv3 and TLS at this point. "129:HIGH" is more strict and our application didn't work with SSLv3.

       

      Thanks for the help.

      Ram