Rick King wrote:
Hello List!
I have a client that is using openssl version, 0.9.7a
Feb 19 2003. Recently, he ran a security audit on his
machine, and the report came back stated the
following:
Vulnerability -- imaps (993/tcp) - 21643 Synopsis
: The remote service supports the use of weak SSL
ciphers
Vulnerability -- pop3s (995/tcp) - 21643 Synopsis
: The remote service supports the use of weak SSL
ciphers
The ciphers that he is using is this:
SSL_RSA_WITH_RC4_128_MD5\
,SSL_RSA_WITH_RC4_128_SHA\
,TLS_RSA_WITH_AES_128_CBC_SHA\
,TLS_DHE_RSA_WITH_AES_128_CBC_SHA\
,TLS_DHE_DSS_WITH_AES_128_CBC_SHA\
,SSL_RSA_WITH_3DES_EDE_CBC_SHA\
,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA\
,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA\
,SSL_RSA_WITH_DES_CBC_SHA\
,SSL_DHE_RSA_WITH_DES_CBC_SHA\
,SSL_DHE_DSS_WITH_DES_CBC_SHA\
,SSL_RSA_EXPORT_WITH_RC4_40_MD5\
,SSL_RSA_EXPORT_WITH_DES40_CBC_SHA\
,SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA\
,SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
Questions
1) I believe these are sslv3 ciphers, but is there a
way to verify the above string is sslv3 compliant?
See http://www.openssl.org/docs/apps/ciphers.html#, but a 40 bit cipher
is weak regardless whether it is an SSLv2 or a TLSv1/SSLv3 cipher.
2) Is there a way to *turn off* sslv2 in openssl?
Yes, but that doesn't remove weak 40 bit ciphers. How to remove weak
ciphers and protocols depends on the application, when it doesn't
provide a means to transport the wishes of the user to OpenSSL, you are
lost (at least when you haven't the source and can't convince the
application author).
Ciao,
Richard
--
Dr. Richard W. Könning
Fujitsu Siemens Computers GmbH
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
