Solved: Nessus scan shows warning for SSL cipher suite vul...

asif_rahmetulla · ‎11-13-2013

Hello,

We are running SAP Web dispatcher release 720 pl 212 with SAP Crypto library release 5.5.5C pl34 on DMZ server and nessus scan shows warning for SSL Weak Cipher and SSL Medium Strength Cipher suite support on the ssl port served by the SAP Web dispatcher.

According to the nessus scan, these ciphers offer weak and medium strength encryption with key lengths 56 bits and less than 112 bits. These are easier to exploit and therefore we are getting asked to find ways to switch off such vulnerabilities on the SAP Web dispatcher and SAP Cryptolibrary.

Is there a way these vulnerabilities can be switched off? What settings/parameters we need to put in place in SAP web dispatcher or SAP Crypto Library to avoid support of weak or medium strength cipher suites.

NOTE: We are running SSL certificate with 2048 bit strength.

Thanks,

Asif

mvoros · ‎11-14-2013

Hi,

check section 6 in OSS note 510007.

Cheers

mvoros · ‎11-14-2013

Hi,

check section 6 in OSS note 510007.

Cheers

asif_rahmetulla · ‎11-14-2013

Hello Martin,

Thanks for the answer!

Would you know where I can find more details on what these "!mMD5", "!mSHA1", or "!eNULL", "!eRC4", "!eDES", "!eRC2" means?

I noticed they used ssl/ciphersuites=HIGH:MEDIUM:+e3DES:LOW:EXPORT:!aNULL:!eNULL. What is !aNULL and !eNULL mean. I guess they mean do not include ciphers suites with NULL suffix but what is the significance of have two "!aNULL" and "!eNULL".

Regards,

Asif

mvoros · ‎11-15-2013

Hi,

a is for server authentication, e is for encryption, m is for message authentication code. ! means negation, do not use. So !aNull means that do not use use suites that do not perform authentication, !eNull means do not use suites that do not encrypt traffic, !mMD5 means that do not use suites that use MD5 for MAC and so on.

Cheers

asif_rahmetulla · ‎11-15-2013

You are great! thanks!

Nessus scan shows warning for SSL cipher suite vulnerabilities