Skip to Content
0
Former Member
Apr 06, 2012 at 12:40 AM

Weak Ciphers - Web Dispatcher on Windows 2008 Server

205 Views

Hi,

We've setup Web Dispatcher 7.20 on Windows 2008 server. We are using Web Dispatcher to load balance J2EE App Servers and using end-to-end SSL. Our enterprise security team ran a scan with the web dispatcher URL and identified weak ciphers. The remediation proposed is to disable weak ciphers on the windows registry.

Using "note 1648045 - Remove particular Ciphers from the Cipher Suite", we've removed the weak ciphers in App Servers (Visual Administator -> Dispatcher -> SSL Provider -> Cipher Suite) and if we run a check with app server URL, then these weak ciphers are listed as 'Unsupported' which is good. However, our security team is using the web dispatcher URL and web dispatcher is probably picking up these ciphers from Windows Registry. THCSSLCheck.exe is reporting the following ciphers as weak.

  • SSL_RSA_WITH_DES_CBC_SHA
  • SSL_RSA_EXPORT_WITH_RC4_40_MD5
  • SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5

We've disabled these ciphers in windows registry but THCSSLCheck.exe is still reporting them. Any idea how to resolve this issue?

THCSSLCheck.exe <Web Dispatcher Host> <Web Dispatcher Port>

------------------------------------------------------------------------
THCSSLCheck v0.1 - coding johnny cyberpunk (www.thc.org) 2004
------------------------------------------------------------------------

[*] testing if port is up. pleaze wait...
[*] port is up !
[*] testing if service speaks SSL ...
[*] service speaks SSL !


[*] now testing SSLv2
----------------------------------------------------------------------
DES-CBC3-MD5 - 168 Bits - unsupported
IDEA-CBC-MD5 - 128 Bits - unsupported
RC2-CBC-MD5 - 128 Bits - unsupported
RC4-MD5 - 128 Bits - unsupported
RC4-64-MD5 - 64 Bits - unsupported
DES-CBC-MD5 - 56 Bits - unsupported
EXP-RC2-CBC-MD5 - 40 Bits - unsupported
EXP-RC4-MD5 - 40 Bits - unsupported


[*] now testing SSLv3
----------------------------------------------------------------------
DHE-RSA-AES256-SHA - 256 Bits - unsupported
DHE-DSS-AES256-SHA - 256 Bits - unsupported
AES256-SHA - 256 Bits - supported
EDH-RSA-DES-CBC3-SHA - 168 Bits - unsupported
EDH-DSS-DES-CBC3-SHA - 168 Bits - unsupported
DES-CBC3-SHA - 168 Bits - supported
DHE-RSA-AES128-SHA - 128 Bits - unsupported
DHE-DSS-AES128-SHA - 128 Bits - unsupported
AES128-SHA - 128 Bits - supported
IDEA-CBC-SHA - 128 Bits - unsupported
DHE-DSS-RC4-SHA - 128 Bits - unsupported
RC4-SHA - 128 Bits - supported
RC4-MD5 - 128 Bits - supported
EXP1024-DHE-DSS-DES-CBC-SHA - 56 Bits - unsupported
EXP1024-DES-CBC-SHA - 56 Bits - unsupported
EXP1024-RC2-CBC-MD5 - 56 Bits - unsupported
EDH-RSA-DES-CBC-SHA - 56 Bits - unsupported
EDH-DSS-DES-CBC-SHA - 56 Bits - unsupported
DES-CBC-SHA - 56 Bits - supported
EXP1024-DHE-DSS-RC4-SHA - 56 Bits - unsupported
EXP1024-RC4-SHA - 56 Bits - unsupported
EXP1024-RC4-MD5 - 56 Bits - unsupported
EXP-EDH-RSA-DES-CBC-SHA - 40 Bits - unsupported
EXP-EDH-DSS-DES-CBC-SHA - 40 Bits - unsupported
EXP-DES-CBC-SHA - 40 Bits - supported
EXP-RC2-CBC-MD5 - 40 Bits - supported
EXP-RC4-MD5 - 40 Bits - supported


[*] now testing TLSv1
----------------------------------------------------------------------
DHE-RSA-AES256-SHA - 256 Bits - unsupported
DHE-DSS-AES256-SHA - 256 Bits - unsupported
AES256-SHA - 256 Bits - supported
EDH-RSA-DES-CBC3-SHA - 168 Bits - unsupported
EDH-DSS-DES-CBC3-SHA - 168 Bits - unsupported
DES-CBC3-SHA - 168 Bits - supported
DHE-RSA-AES128-SHA - 128 Bits - unsupported
DHE-DSS-AES128-SHA - 128 Bits - unsupported
AES128-SHA - 128 Bits - supported
IDEA-CBC-SHA - 128 Bits - unsupported
DHE-DSS-RC4-SHA - 128 Bits - unsupported
RC4-SHA - 128 Bits - supported
RC4-MD5 - 128 Bits - supported
EXP1024-DHE-DSS-DES-CBC-SHA - 56 Bits - unsupported
EXP1024-DES-CBC-SHA - 56 Bits - unsupported
EXP1024-RC2-CBC-MD5 - 56 Bits - unsupported
EDH-RSA-DES-CBC-SHA - 56 Bits - unsupported
EDH-DSS-DES-CBC-SHA - 56 Bits - unsupported
DES-CBC-SHA - 56 Bits - supported
EXP1024-DHE-DSS-RC4-SHA - 56 Bits - unsupported
EXP1024-RC4-SHA - 56 Bits - unsupported
EXP1024-RC4-MD5 - 56 Bits - unsupported
EXP-EDH-RSA-DES-CBC-SHA - 40 Bits - unsupported
EXP-EDH-DSS-DES-CBC-SHA - 40 Bits - unsupported
EXP-DES-CBC-SHA - 40 Bits - supported
EXP-RC2-CBC-MD5 - 40 Bits - supported
EXP-RC4-MD5 - 40 Bits - supported

Thanks

Ram