[Openvas-discuss] weak ciphers on port 25

Reindl Harald Tue, 02 Aug 2016 08:51:50 -0700

sorry, but that is pure nonsense for opportunstic TLS on a inbound mailserver because if you don#t support such ciphers clients which don#t support better ones will either fallback to *completly unencrypted* or just fail


Weak ciphers offered by this service:

TLS1_ECDH_anon_WITH_DES_192_CBC3_SHA : Medium cipher;No cipher;Weak cipher;Strong cipher?

 (custom override [Medium > Medium])

TLS1_RSA_DES_192_CBC3_SHA : Medium cipher;No cipher;Weak cipher;Strong cipher (custom ov?

erride [Medium > Medium])

TLS1_ADH_WITH_AES_256_SHA : Strong cipher;No cipher;Weak cipher;Medium cipher (custom ov?

erride [Strong > Strong])

TLS1_DHE_RSA_WITH_AES_256_SHA : Strong cipher;No cipher;Weak cipher;Medium cipher (custo?

m override [Strong > Strong])

TLS1_RSA_WITH_AES_256_SHA : Strong cipher;No cipher;Weak cipher;Medium cipher (custom ov?

erride [Strong > Strong])

TLS1_ADH_WITH_AES_128_SHA : Medium cipher;No cipher;Weak cipher;Strong cipher (custom ov?

erride [Medium > Medium])

TLS1_DHE_RSA_WITH_AES_128_SHA : Medium cipher;No cipher;Weak cipher;Strong cipher (custo?

m override [Medium > Medium])

TLS1_RSA_WITH_AES_128_SHA : Medium cipher;No cipher;Weak cipher;Strong cipher (custom ov?

erride [Medium > Medium])

TLS1_ECDH_anon_WITH_AES_256_CBC_SHA : Medium cipher;No cipher;Weak cipher;Strong cipher ?

(custom override [Medium > Medium])

TLS1_ECDH_anon_WITH_AES_128_CBC_SHA : Medium cipher;No cipher;Weak cipher;Strong cipher ?

(custom override [Medium > Medium])

TLS1_ECDHE_RSA_WITH_AES_256_CBC_SHA : Medium cipher;No cipher;Weak cipher;Strong cipher ?

(custom override [Medium > Medium])

TLS1_ECDHE_RSA_WITH_AES_128_CBC_SHA : Medium cipher;No cipher;Weak cipher;Strong cipher ?

(custom override [Medium > Medium])

TLS1_ADH_WITH_CAMELLIA_256_CBC_SHA : Medium cipher;No cipher;Weak cipher;Strong cipher (?

custom override [Medium > Medium])

TLS1_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA : Medium cipher;No cipher;Weak cipher;Strong ciph?

er (custom override [Medium > Medium])

TLS1_RSA_WITH_CAMELLIA_256_CBC_SHA : Medium cipher;No cipher;Weak cipher;Strong cipher (?

custom override [Medium > Medium])

TLS1_ADH_WITH_CAMELLIA_128_CBC_SHA : Medium cipher;No cipher;Weak cipher;Strong cipher (?

custom override [Medium > Medium])

TLS1_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA : Medium cipher;No cipher;Weak cipher;Strong ciph?

er (custom override [Medium > Medium])

TLS1_RSA_WITH_CAMELLIA_128_CBC_SHA : Medium cipher;No cipher;Weak cipher;Strong cipher (?

custom override [Medium > Medium])

TLS1_ADH_DES_192_CBC_SHA : Medium cipher;No cipher;Weak cipher;Strong cipher (custom ove?

rride [Medium > Medium])

TLS1_ECDH_anon_WITH_DES_192_CBC3_SHA : Medium cipher;No cipher;Weak cipher;Strong cipher?

 (custom override [Medium > Medium])

TLS1_RSA_DES_192_CBC3_SHA : Medium cipher;No cipher;Weak cipher;Strong cipher (custom ov?

erride [Medium > Medium])

TLS1_ADH_WITH_AES_256_SHA : Strong cipher;No cipher;Weak cipher;Medium cipher (custom ov?

erride [Strong > Strong])

TLS1_DHE_RSA_WITH_AES_256_SHA : Strong cipher;No cipher;Weak cipher;Medium cipher (custo?

m override [Strong > Strong])

TLS1_RSA_WITH_AES_256_SHA : Strong cipher;No cipher;Weak cipher;Medium cipher (custom ov?

erride [Strong > Strong])

TLS1_ADH_WITH_AES_128_SHA : Medium cipher;No cipher;Weak cipher;Strong cipher (custom ov?

erride [Medium > Medium])

TLS1_DHE_RSA_WITH_AES_128_SHA : Medium cipher;No cipher;Weak cipher;Strong cipher (custo?

m override [Medium > Medium])

TLS1_RSA_WITH_AES_128_SHA : Medium cipher;No cipher;Weak cipher;Strong cipher (custom ov?

erride [Medium > Medium])

TLS1_ECDH_anon_WITH_AES_256_CBC_SHA : Medium cipher;No cipher;Weak cipher;Strong cipher ?

(custom override [Medium > Medium])

TLS1_ECDH_anon_WITH_AES_128_CBC_SHA : Medium cipher;No cipher;Weak cipher;Strong cipher ?

(custom override [Medium > Medium])

TLS1_ECDHE_RSA_WITH_AES_256_CBC_SHA : Medium cipher;No cipher;Weak cipher;Strong cipher ?

(custom override [Medium > Medium])

TLS1_ECDHE_RSA_WITH_AES_128_CBC_SHA : Medium cipher;No cipher;Weak cipher;Strong cipher ?

(custom override [Medium > Medium])

TLS1_ADH_WITH_CAMELLIA_256_CBC_SHA : Medium cipher;No cipher;Weak cipher;Strong cipher (?

custom override [Medium > Medium])

TLS1_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA : Medium cipher;No cipher;Weak cipher;Strong ciph?

er (custom override [Medium > Medium])

TLS1_RSA_WITH_CAMELLIA_256_CBC_SHA : Medium cipher;No cipher;Weak cipher;Strong cipher (?

custom override [Medium > Medium])

TLS1_ADH_WITH_CAMELLIA_128_CBC_SHA : Medium cipher;No cipher;Weak cipher;Strong cipher (?

custom override [Medium > Medium])

TLS1_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA : Medium cipher;No cipher;Weak cipher;Strong ciph?

er (custom override [Medium > Medium])

TLS1_RSA_WITH_CAMELLIA_128_CBC_SHA : Medium cipher;No cipher;Weak cipher;Strong cipher (?

custom override [Medium > Medium])

TLS1_ADH_DES_192_CBC_SHA : Medium cipher;No cipher;Weak cipher;Strong cipher (custom ove?

rride [Medium > Medium])

TLS_1_2_ECDHE_RSA_WITH_AES_128_GCM_SHA256 : Medium cipher;No cipher;Weak cipher;Strong c?

ipher (custom override [Medium > Medium])

TLS_1_2_ECDHE_RSA_WITH_AES_128_CBC_SHA256 : Medium cipher;No cipher;Weak cipher;Strong c?

ipher (custom override [Medium > Medium])

TLS_1_2_DH_anon_WITH_AES_128_GCM_SHA256 : Medium cipher;No cipher;Weak cipher;Strong cip?

her (custom override [Medium > Medium])

TLS_1_2_DH_anon_WITH_AES_256_CBC_SHA256 : Medium cipher;No cipher;Weak cipher;Strong cip?

her (custom override [Medium > Medium])

TLS_1_2_DH_anon_WITH_AES_128_CBC_SHA256 : Medium cipher;No cipher;Weak cipher;Strong cip?

her (custom override [Medium > Medium])

TLS_1_2_RSA_WITH_AES_128_GCM_SHA256 : Medium cipher;No cipher;Weak cipher;Strong cipher ?

(custom override [Medium > Medium])

TLS_1_2_DHE_RSA_WITH_AES_128_GCM_SHA256 : Medium cipher;No cipher;Weak cipher;Strong cip?

her (custom override [Medium > Medium])

TLS_1_2_DHE_RSA_WITH_AES_256_CBC_SHA256 : Medium cipher;No cipher;Weak cipher;Strong cip?

her (custom override [Medium > Medium])

TLS_1_2_DHE_RSA_WITH_AES_128_CBC_SHA256 : Medium cipher;No cipher;Weak cipher;Strong cip?

her (custom override [Medium > Medium])

TLS_1_2_RSA_WITH_AES_256_CBC_SHA256 : Medium cipher;No cipher;Weak cipher;Strong cipher ?

(custom override [Medium > Medium])

TLS_1_2_RSA_WITH_AES_128_CBC_SHA256 : Medium cipher;No cipher;Weak cipher;Strong cipher ?

(custom override [Medium > Medium])

TLS_1_2_ECDHE_RSA_WITH_AES_256_GCM_SHA384 : Medium cipher;No cipher;Weak cipher;Strong c?

ipher (custom override [Medium > Medium])

TLS_1_2_ECDHE_RSA_WITH_AES_256_CBC_SHA384 : Medium cipher;No cipher;Weak cipher;Strong c?

ipher (custom override [Medium > Medium])

TLS_1_2_DH_anon_WITH_AES_256_GCM_SHA384 : Medium cipher;No cipher;Weak cipher;Strong cip?

her (custom override [Medium > Medium])

TLS_1_2_RSA_WITH_AES_256_GCM_SHA384 : Medium cipher;No cipher;Weak cipher;Strong cipher ?

(custom override [Medium > Medium])

TLS_1_2_DHE_RSA_WITH_AES_256_GCM_SHA384 : Medium cipher;No cipher;Weak cipher;Strong cip?

her (custom override [Medium > Medium])

TLS_1_2_DHE_RSA_WITH_AES_256_CBC_SHA : Medium cipher;No cipher;Weak cipher;Strong cipher?

 (custom override [Medium > Medium])

TLS_1_2_DHE_RSA_WITH_AES_128_CBC_SHA : Medium cipher;No cipher;Weak cipher;Strong cipher?

 (custom override [Medium > Medium])

TLS_1_2_RSA_WITH_AES_256_CBC_SHA : Medium cipher;No cipher;Weak cipher;Strong cipher (cu?

stom override [Medium > Medium])

TLS_1_2_RSA_WITH_AES_128_CBC_SHA : Medium cipher;No cipher;Weak cipher;Strong cipher (cu?

stom override [Medium > Medium])

TLS_1_2_RSA_WITH_3DES_EDE_CBC_SHA : Medium cipher;No cipher;Weak cipher;Strong cipher (c?

ustom override [Medium > Medium])


Lösung

The configuration of this services should be changed so that it does not support the listed weak ciphers anymore.

Schwachstellen-Einblick

These rules are applied for the evaluation of the cryptographic strength:

- Any SSL/TLS using no cipher is considered weak.

- All SSLv2 ciphers are considered weak due to a design flaw within the SSLv2 protocol.


- RC4 is considered to be weak.

- Ciphers using 64 bit or less are considered to be vulnerable to brute force methods and therefore considered as weak.

- 1024 bit RSA authentication is considered to be insecure and therefore as weak.

- CBC ciphers in TLS < 1.2 are considered to be vulnerable to the BEAST or Lucky 13 attacks

- Any cipher considered to be secure for only the next 10 years is considered as medium


- Any other cipher is considered as strong
Methode zur Schwachstellenerkennung

Details: Check for SSL Weak Ciphers (OID: 1.3.6.1.4.1.25623.1.0.103440)

Benutzte Version: $Revision: 3061 $

signature.asc
Description: OpenPGP digital signature

_______________________________________________
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

[Openvas-discuss] weak ciphers on port 25

Reply via email to