For Coordinator Point Servers (CPS), Disable Vulnerable SSL/TLS Ciphers for port 443

book

Article ID: 100066046

calendar_today

Updated On:

Description

Error Message

# nmap -sV -script ssl-enum-ciphers -p 443  <ip>

Nmap scan report for <hostname>(<ip>)

Host is up (0.xxxs latency).

PORT    STATE SERVICE    VERSION

443/tcp open  ssl/https?

| ssl-enum-ciphers:

|   SSLv3: No supported ciphers found

|   TLSv1.2:

|     ciphers:

|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong

|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong

|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong

|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong

|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong

|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong

|       TLS_ECDH_anon_WITH_AES_128_CBC_SHA - broken

|       TLS_ECDH_anon_WITH_AES_256_CBC_SHA - broken

|       TLS_RSA_WITH_AES_128_CBC_SHA - strong

|       TLS_RSA_WITH_AES_128_CBC_SHA256 - strong

|       TLS_RSA_WITH_AES_128_GCM_SHA256 - strong

|       TLS_RSA_WITH_AES_256_CBC_SHA - strong

|       TLS_RSA_WITH_AES_256_CBC_SHA256 - strong

|       TLS_RSA_WITH_AES_256_GCM_SHA384 - strong

|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong

|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong

|       TLS_RSA_WITH_SEED_CBC_SHA - strong

|     compressors:

|       NULL

|_  least strength: broken

 

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 7.74 seconds

 

Cause

Remove All ciphers using 128

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

TLS_ECDH_anon_WITH_AES_128_CBC_SHA

 TLS_ECDH_anon_WITH_AES_256_CBC_SHA

TLS_RSA_WITH_AES_128_CBC_SHA

TLS_RSA_WITH_AES_128_CBC_SHA256

TLS_RSA_WITH_AES_128_GCM_SHA256

TLS_RSA_WITH_CAMELLIA_128_CBC_SHA

 

Solution

 1) Locate the OpenSSL name using the following website. 

https://ciphersuite.info/cs/

2) Using the OpenSSL name, update the /etc/vxcps_ssl.properties file. 

From:

openSSL.server.cipherList = ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH:!RC4:!3DES:!DHE

To:

openSSL.server.cipherList = ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH:!RC4:!3DES:!DHE:!ECDHE-RSA-AES128-SHA:!ECDHE-RSA-AES128-SHA256:!AECDH-AES128-SHA:!AECDH-AES256-SHA:!AES128-SHA:!AES128-SHA256:!AES128-GCM-SHA256:!CAMELLIA128-SHA

3.) Restart the CPSSG Service group.

# hagrp -offline CPSSG -any

# hagrp -online CPSSG -any

4.) 4) Verify that only secure ciphers are being used.

# nmap -sV --script ssl-enum-ciphers -p 443 <ip to CP server>

Starting Nmap 7.92 ( https://nmap.org ) at 2024-05-02 13:41 EDT

Nmap scan report for <ip>

Host is up (0.00097s latency).

 

PORT    STATE SERVICE    VERSION

443/tcp open  ssl/https?

| ssl-enum-ciphers:

|   TLSv1.2:

|     ciphers:

|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A

|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A

|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A

|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A

|       TLS_RSA_WITH_SEED_CBC_SHA (rsa 2048) - A

|     compressors:

|       NULL

|     cipher preference: client

|     warnings:

|       Forward Secrecy not supported by any cipher

|_  least strength: A

MAC Address: BC:24:11:AB:D7:FD (Unknown)

 

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 6.93 seconds

 

 

Issue/Introduction

For Coordinator Point Server (CPS), vulnerable SSL/TLS Ciphers are reported in network security scans for port 443.
Powered by Wolken Software