- Red Hat Enterprise Linux 6
- Red Hat Enterprise Linux 5
- Red Hat Enterprise Linux 4
- The message "SSL Medium Strength Cipher Suites Supported" was received after executing a security scanner software in the server.
- Nessus 26928 SSL Weak Cipher Suites Supported
- SSL Server Allows Cleartext Communication (NULL Cipher Support)
- We have home-grown java applications running and scans against the server report "SSL Weak Cipher Suites Supported"
- Is SHA256 Hash Algorithm is supported in RHEL 6.5?
- During an SSL handshake between a client and a server the cipher to use is negotiated between both of them.
To see the ciphers available in your system (with openssl), execute:
# openssl ciphers -v 'ALL:COMPLEMENTOFALL' ADH-AES256-SHA SSLv3 Kx=DH Au=None Enc=AES(256) Mac=SHA1 DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1 DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1 AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1...
To avoid the use of medium strength ciphers, it'll be necessary to reconfigure the applications that are using them. Most of the application have a parameter to do that.
To know the ciphers that are considered high strenth ciphers (128 bits or more) and with authentication, execute:
# openssl ciphers -v 'TLSv1+HIGH:!aNULL:!eNULL' DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1 DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1 AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1 DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1 AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1 KRB5-DES-CBC3-MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=3DES(168) Mac=MD5 KRB5-DES-CBC3-SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=3DES(168) Mac=SHA1 EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1 EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1 DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
These ciphers should be included in the applications that use SSL negotiation to have high strength ciphers.
To know the ciphers that are considered high strength ciphers (256 bits or more) and with authentication, execute:
# openssl ciphers -v 'TLSv1.2+HIGH:!aNULL:!eNULL' ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256 DHE-DSS-AES256-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AES(256) Mac=SHA256 ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384
- These ciphers should be included in the applications that use SSL negotiation to have high strength ciphers.
These consents apply to all servers / services that use OpenSSL as there cryptographic library. The same principal goes for NSS or GNUTLS however you will need to see how those cryptographic libraries label their ciphers as each library classifies cipher strength differently.
- It is because of these differences in classification that you can also end up with discrepancies with scanners. Keep this in mind when looking at what your scanner classifies as a Weak or Low Cipher.
In addition to this Apache and JBoss both have instructions for disabling Weak / Low Ciphers in the denoted articles. If your server is not Apache or JBoss look at the diagnostic steps to see how you can identify your server/service that is shown as vulnerable.
- Check your report for a port number that is exhibiting the vulnerability and match that up to a process:
# netstat -tunap | grep -ie :<PORT> -ie LISTEN (Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.) tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1979/httpd
- Check that binary that is running for that PID
- You will want to do this to know what service it is you need to edit, to disable the weak ciphers.
# ps -ef | grep <PID> | grep -v grep <user> 1979 1 0 06:57 ? 00:00:03 /usr/sbin/httpd
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.