11-13-2013 9:59 PM
Hello,
We are running SAP Web dispatcher release 720 pl 212 with SAP Crypto library release 5.5.5C pl34 on DMZ server and nessus scan shows warning for SSL Weak Cipher and SSL Medium Strength Cipher suite support on the ssl port served by the SAP Web dispatcher.
According to the nessus scan, these ciphers offer weak and medium strength encryption with key lengths 56 bits and less than 112 bits. These are easier to exploit and therefore we are getting asked to find ways to switch off such vulnerabilities on the SAP Web dispatcher and SAP Cryptolibrary.
Is there a way these vulnerabilities can be switched off? What settings/parameters we need to put in place in SAP web dispatcher or SAP Crypto Library to avoid support of weak or medium strength cipher suites.
NOTE: We are running SSL certificate with 2048 bit strength.
Thanks,
Asif
11-14-2013 12:56 AM
11-14-2013 12:56 AM
11-14-2013 11:59 PM
Hello Martin,
Thanks for the answer!
Would you know where I can find more details on what these "!mMD5", "!mSHA1", or "!eNULL", "!eRC4", "!eDES", "!eRC2" means?
I noticed they used ssl/ciphersuites=HIGH:MEDIUM:+e3DES:LOW:EXPORT:!aNULL:!eNULL. What is !aNULL and !eNULL mean. I guess they mean do not include ciphers suites with NULL suffix but what is the significance of have two "!aNULL" and "!eNULL".
Regards,
Asif
11-15-2013 12:30 AM
Hi,
a is for server authentication, e is for encryption, m is for message authentication code. ! means negation, do not use. So !aNull means that do not use use suites that do not perform authentication, !eNull means do not use suites that do not encrypt traffic, !mMD5 means that do not use suites that use MD5 for MAC and so on.
Cheers
11-15-2013 1:14 AM