"SAP Web Dispatcher" & "Weak Encryption Vulnerability"
I originally posted this question in the "SAP NetWeaver - Exchange Infrastructure" forum, but it was suggested that I might receive responses if I cross-post it within this forum. If you know of an even more appropriate forum, let me know & I'll gladly post there too.
Here's my issue... we've just installed a set of SAP Web Dispatchers in our DMZ, and we've configured the HTTPS/SSL functionality so that Internet consumers can securely communicate with us.
We periodically enlist the services of Qualsys to scan our Internet touchpoints. Since we made so many changes to our firewall routing rules & such in order to setup the dispatchers, we thought it would be a good idea to perform a new Qualsys scan.
Unfortunately, their latest scans reveal a "weak encryption vulnerability". Here's a snippet from the report:
SSL encryption ciphers are classified based on encryption key length as follows:
HIGH - key length larger than 128 bits
MEDIUM - key length equal to 128 bits
LOW - key length smaller than 128 bits
Messages encrypted with LOW encryption ciphers are easy to decrypt. Commercial SSL servers should only support MEDIUM or HIGH strength ciphers to guarantee transaction security.
Their recommended solution for us is to "Disable support for LOW encryption ciphers." My question to you, in turn, is... How do I do that?
We're currently using version 7.00 (patch 167) of the dispatchers, along with SAPCRYPTOLIB version 5.5.5pl24 (11-Jun-2008). The only time during configuration that I remember specifying a key length was when I used the sapgenpse program to generate the certificate requests. I always specified 1,024 during that process.
I just ran "sapgenpse get_my_name" and verified that the "KeyInfo" field on all my certificates say "RSA, 1024-bit".
Anyone have any ideas?
~Fred Claypool, Jr.