Hi All,
I have had a security scan performed on the outside of our utm and one of the results displays the following message:
| Synopsis | The remote web server uses an old version of SSL. |
| Description | The remote service accepts connections encrypted using SSL 3.0 which is obsolete and lacks key features. It is safe to disable it, because all modern clients support newer versions. |
| Solution | Disable SSL 3.0 support and use TLS 1.2 instead or TLS 1.1 where 1.2 is not available. |
| Findings | The remote host supports connections using SSL 3.0 protocol. |
| Port | 3400/TCP |
| Tags |
| Synopsis | The remote service supports the RC4 cipher suites. |
| Description | [CVE-2013-2566] The RC4 algorithm, as used in the TLS protocol and SSL protocol, has many single-byte biases, which makes it easier for remote attackers to conduct plaintext-recovery attacks via statistical analysis of ciphertext in a large number of sessions that use the same plaintext. [CVE-2015-2808] The RC4 algorithm, as used in the TLS protocol and SSL protocol, does not properly combine state data with key data during the initialization phase, which makes it easier for remote attackers to conduct plaintext-recovery attacks against the initial bytes of a stream by sniffing network traffic that occasionally relies on keys affected by the Invariance Weakness, and then using a brute-force approach involving LSB values, aka the 'Bar Mitzvah' issue. Show less |
| Solution | Disable RC4 cipher suites in the service's configuration. Migration to TLS1.2 and AES-GCM cipher suites is highly recommended. |
| Findings | RC4 cipher suites supported. |
| Port | 3400/TCP |
| Tags |
| Synopsis | The remote service supports the RC4 cipher suites. |
| Description | [CVE-2013-2566] The RC4 algorithm, as used in the TLS protocol and SSL protocol, has many single-byte biases, which makes it easier for remote attackers to conduct plaintext-recovery attacks via statistical analysis of ciphertext in a large number of sessions that use the same plaintext. [CVE-2015-2808] The RC4 algorithm, as used in the TLS protocol and SSL protocol, does not properly combine state data with key data during the initialization phase, which makes it easier for remote attackers to conduct plaintext-recovery attacks against the initial bytes of a stream by sniffing network traffic that occasionally relies on keys affected by the Invariance Weakness, and then using a brute-force approach involving LSB values, aka the 'Bar Mitzvah' issue. Show less |
| Solution | Disable RC4 cipher suites in the service's configuration. Migration to TLS1.2 and AES-GCM cipher suites is highly recommended. |
| Findings | RC4 cipher suites supported. |
| Port | 3400/TCP |
| Tags |
Can someone tell me how to adjust this in the utm?
This thread was automatically locked due to age.
