09-07-2008 2:08 PM
Hello everyone,
I originally posted this question in the "SAP NetWeaver - Exchange Infrastructure" forum, but it was suggested that I might receive responses if I cross-post it within this forum. If you know of an even more appropriate forum, let me know & I'll gladly post there too.
Here's my issue... we've just installed a set of SAP Web Dispatchers in our DMZ, and we've configured the HTTPS/SSL functionality so that Internet consumers can securely communicate with us.
We periodically enlist the services of Qualsys to scan our Internet touchpoints. Since we made so many changes to our firewall routing rules & such in order to setup the dispatchers, we thought it would be a good idea to perform a new Qualsys scan.
Unfortunately, their latest scans reveal a "weak encryption vulnerability". Here's a snippet from the report:
-
SSL encryption ciphers are classified based on encryption key length as follows:
HIGH - key length larger than 128 bits
MEDIUM - key length equal to 128 bits
LOW - key length smaller than 128 bits
Messages encrypted with LOW encryption ciphers are easy to decrypt. Commercial SSL servers should only support MEDIUM or HIGH strength ciphers to guarantee transaction security.
-
Their recommended solution for us is to "Disable support for LOW encryption ciphers." My question to you, in turn, is... How do I do that?
We're currently using version 7.00 (patch 167) of the dispatchers, along with SAPCRYPTOLIB version 5.5.5pl24 (11-Jun-2008). The only time during configuration that I remember specifying a key length was when I used the sapgenpse program to generate the certificate requests. I always specified 1,024 during that process.
I just ran "sapgenpse get_my_name" and verified that the "KeyInfo" field on all my certificates say "RSA, 1024-bit".
Anyone have any ideas?
Thanks,
~Fred Claypool, Jr.
09-07-2008 7:44 PM
Please avoid cross-posting and do not cross-post this one any further - this distributes the answers and makes the search less usefull for those who use it (which is encouraged).
It cannot be excluded that cross-posted threads will be deleted without notice, but we sometimes turn a blind eye as well (because unfortunately there is no way to mirror good threads other forums).
Regarding search => There was very recently a question here about encryption [ciphers|https://forums.sdn.sap.com/search.jspa?objID=f208&q=ciphers].
Cheers,
Julius