This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL Weak Ciphers and Deprecated SSLv2 and SSLv3 Protocol Detection

I am currently in charge of doing internal PCI vulnerability scans for the company I work for and we are currently using openVas for our vulnerability scanner. When scanning our UTM instance I keep receiving the following Vulnerabilities - Check for SSL Weak Ciphers and Deprecated SSLv2 and SSLv3 Protocol Detection. 

The Scan for check for SSL weak ciphers is finding the following:

SSL3_RSA_RC4_128_SHA
TLS1_RSA_RC4_128_SHA
TLS1_RSA_RC4_128_SHA
TLS_1_2_RSA_WITH_RC4_128_SHA

Currently I only have access to our Web console of the UTM and I do not see an option to disable or even enable SSL. My guess is to actually disable these ciphers and protocols I would need to actually be on the webserver and there is a configuration file I am guessing? Can anyone confirm this?

Thank you!



This thread was automatically locked due to age.
Parents
  • Jack, are you testing internally or externally?

    SSLv3 was disabled in the UTM when POODLE hit as were the ciphers you mentioned.  I just looked at our .conf files for the Reverse Proxy, Web Filtering, User Portal/WebAdmin and Email - this is still the case.  I wonder if OpenVAS is looking for a different response for those ciphers.

    Cheers - Bob

    PS Here's a group of commands to run as root at the command line that will give you this information about your configuration - copy and paste the entire block at once:

    date > /home/poodle
    echo '-- WAF Status --'>>/home/poodle
    cc get reverse_proxy status >> /home/poodle
    echo '-- SMTP Proxy status --' >> /home/poodle
    cc get smtp status >> /home/poodle
    echo '-- WAF SSL Versions --' >> /home/poodle
    grep SSLProtocol /var/chroot-reverseproxy/usr/apache/conf/httpd.conf >> /home/poodle
    echo '-- SMTP Proxy SSL Versions --' >> /home/poodle
    grep openssl /var/chroot-smtp/etc/exim.conf >> /home/poodle
    echo '-- User Portal SSL Versions --' >> /home/poodle
    grep SSLProtocol /var/sec/chroot-httpd/etc/httpd/httpd.conf >> /home/poodle
    echo '-- Web Filtering Cipherss --' >> /home/poodle
    cc get http tlsciphers_client  >> /home/poodle
    cat /home/poodle


     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Jack, are you testing internally or externally?

    SSLv3 was disabled in the UTM when POODLE hit as were the ciphers you mentioned.  I just looked at our .conf files for the Reverse Proxy, Web Filtering, User Portal/WebAdmin and Email - this is still the case.  I wonder if OpenVAS is looking for a different response for those ciphers.

    Cheers - Bob

    PS Here's a group of commands to run as root at the command line that will give you this information about your configuration - copy and paste the entire block at once:

    date > /home/poodle
    echo '-- WAF Status --'>>/home/poodle
    cc get reverse_proxy status >> /home/poodle
    echo '-- SMTP Proxy status --' >> /home/poodle
    cc get smtp status >> /home/poodle
    echo '-- WAF SSL Versions --' >> /home/poodle
    grep SSLProtocol /var/chroot-reverseproxy/usr/apache/conf/httpd.conf >> /home/poodle
    echo '-- SMTP Proxy SSL Versions --' >> /home/poodle
    grep openssl /var/chroot-smtp/etc/exim.conf >> /home/poodle
    echo '-- User Portal SSL Versions --' >> /home/poodle
    grep SSLProtocol /var/sec/chroot-httpd/etc/httpd/httpd.conf >> /home/poodle
    echo '-- Web Filtering Cipherss --' >> /home/poodle
    cc get http tlsciphers_client  >> /home/poodle
    cat /home/poodle


     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • Could this be a result of the SSLVPN configuration?  Logs indicate that it is still using SSLV3.0 and TLS1.x...

    Mon May 02 14:07:05 2016 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA

    Can the OpenVPN module be forced to use TLS 1.1 or higher?