.

vulnerability :SSL Medium Strength Cipher Suites Supported

<<

manju_salian

User avatar

Jr. Member
Jr. Member

Posts: 89

Joined: Mon Apr 09, 2007 1:31 am

Post Tue May 29, 2012 2:09 pm

vulnerability :SSL Medium Strength Cipher Suites Supported

In my recent scan of Nessus i found most of the system reported with "SSL Medium Strength Cipher Suites Supported". I tried the solutions mentioned in "http://blogs.iis.net/sakyad/archive/2008/12/11/enforcing-ssl-3-0-and-removing-weak-encryption-vulnerability-over-ssl-iis-6-0-and-isa.aspx" but some of the servers are still reported for vulnerability.
Kindly suggest the way out for resolving the same in more than 1000+ server remotely.
<<

Data_Raid

User avatar

Full Member
Full Member

Posts: 165

Joined: Fri Nov 09, 2007 5:55 am

Post Tue May 29, 2012 3:34 pm

Re: vulnerability :SSL Medium Strength Cipher Suites Supported

What webservers are running on the other hosts that are reported as vulnerable, are the results for webservers or other devices?
Are all the webservers running IIS?
Are you saying that after following the suggestions on the website above, the servers are still being reported as vulnerable?
What details are reported for the vulnerability in Nessus, is the following message the same: http://www.nessus.org/plugins/index.php ... e&id=42873 ?
All men by nature desire knowledge.

Aristotle
<<

manju_salian

User avatar

Jr. Member
Jr. Member

Posts: 89

Joined: Mon Apr 09, 2007 1:31 am

Post Wed May 30, 2012 12:17 am

Re: vulnerability :SSL Medium Strength Cipher Suites Supported

You got it right Data_Raid....reported vulnerability are on IIS servers.
with the same Nessus Plugins ID.
<<

Data_Raid

User avatar

Full Member
Full Member

Posts: 165

Joined: Fri Nov 09, 2007 5:55 am

Post Wed May 30, 2012 4:49 am

Re: vulnerability :SSL Medium Strength Cipher Suites Supported

You should have a list of ciphers reported as having a key length of 56 bits or 112 bits or less from the Nessus scan, and you could focus on addressing just those ciphers. The following Microsoft KB article describes how to disable the various weak ciphers: http://support.microsoft.com/kb/245030
There are many other references to disabling weak cipher keys on IIS 6, for example: http://www.waynezim.com/2011/03/how-to- ... rs-in-iis/ which also describes using a tool called SSLScan to test the ciphers easily.

HTH
All men by nature desire knowledge.

Aristotle

Return to Web Applications

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software