Re: [Openvas-discuss] weak ciphers on port 25

Tue, 02 Aug 2016 09:10:44 -0700
and for IMAP/POP3 over TLS things like "CBC ciphers in TLS < 1.2 are considered to be vulnerable to the BEAST or Lucky 13 attacks" are nonsense too because the attack vector just don't exist outside a webbrowser 

Am 02.08.2016 um 17:51 schrieb Reindl Harald:

sorry, but that is pure nonsense for opportunstic TLS on a inbound
mailserver because if you don#t support such ciphers clients which don#t
support better ones will either fallback to *completly unencrypted* or
just fail

Weak ciphers offered by this service:
  TLS1_ECDH_anon_WITH_DES_192_CBC3_SHA : Medium cipher;No cipher;Weak
cipher;Strong cipher?
 (custom override [Medium > Medium])
  TLS1_RSA_DES_192_CBC3_SHA : Medium cipher;No cipher;Weak cipher;Strong
cipher (custom ov?
erride [Medium > Medium])
  TLS1_ADH_WITH_AES_256_SHA : Strong cipher;No cipher;Weak cipher;Medium
cipher (custom ov?
erride [Strong > Strong])
  TLS1_DHE_RSA_WITH_AES_256_SHA : Strong cipher;No cipher;Weak
cipher;Medium cipher (custo?
m override [Strong > Strong])
  TLS1_RSA_WITH_AES_256_SHA : Strong cipher;No cipher;Weak cipher;Medium
cipher (custom ov?
erride [Strong > Strong])
  TLS1_ADH_WITH_AES_128_SHA : Medium cipher;No cipher;Weak cipher;Strong
cipher (custom ov?
erride [Medium > Medium])
  TLS1_DHE_RSA_WITH_AES_128_SHA : Medium cipher;No cipher;Weak
cipher;Strong cipher (custo?
m override [Medium > Medium])
  TLS1_RSA_WITH_AES_128_SHA : Medium cipher;No cipher;Weak cipher;Strong
cipher (custom ov?
erride [Medium > Medium])
  TLS1_ECDH_anon_WITH_AES_256_CBC_SHA : Medium cipher;No cipher;Weak
cipher;Strong cipher ?
(custom override [Medium > Medium])
  TLS1_ECDH_anon_WITH_AES_128_CBC_SHA : Medium cipher;No cipher;Weak
cipher;Strong cipher ?
(custom override [Medium > Medium])
  TLS1_ECDHE_RSA_WITH_AES_256_CBC_SHA : Medium cipher;No cipher;Weak
cipher;Strong cipher ?
(custom override [Medium > Medium])
  TLS1_ECDHE_RSA_WITH_AES_128_CBC_SHA : Medium cipher;No cipher;Weak
cipher;Strong cipher ?
(custom override [Medium > Medium])
  TLS1_ADH_WITH_CAMELLIA_256_CBC_SHA : Medium cipher;No cipher;Weak
cipher;Strong cipher (?
custom override [Medium > Medium])
  TLS1_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA : Medium cipher;No cipher;Weak
cipher;Strong ciph?
er (custom override [Medium > Medium])
  TLS1_RSA_WITH_CAMELLIA_256_CBC_SHA : Medium cipher;No cipher;Weak
cipher;Strong cipher (?
custom override [Medium > Medium])
  TLS1_ADH_WITH_CAMELLIA_128_CBC_SHA : Medium cipher;No cipher;Weak
cipher;Strong cipher (?
custom override [Medium > Medium])
  TLS1_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA : Medium cipher;No cipher;Weak
cipher;Strong ciph?
er (custom override [Medium > Medium])
  TLS1_RSA_WITH_CAMELLIA_128_CBC_SHA : Medium cipher;No cipher;Weak
cipher;Strong cipher (?
custom override [Medium > Medium])
  TLS1_ADH_DES_192_CBC_SHA : Medium cipher;No cipher;Weak cipher;Strong
cipher (custom ove?
rride [Medium > Medium])
  TLS1_ECDH_anon_WITH_DES_192_CBC3_SHA : Medium cipher;No cipher;Weak
cipher;Strong cipher?
 (custom override [Medium > Medium])
  TLS1_RSA_DES_192_CBC3_SHA : Medium cipher;No cipher;Weak cipher;Strong
cipher (custom ov?
erride [Medium > Medium])
  TLS1_ADH_WITH_AES_256_SHA : Strong cipher;No cipher;Weak cipher;Medium
cipher (custom ov?
erride [Strong > Strong])
  TLS1_DHE_RSA_WITH_AES_256_SHA : Strong cipher;No cipher;Weak
cipher;Medium cipher (custo?
m override [Strong > Strong])
  TLS1_RSA_WITH_AES_256_SHA : Strong cipher;No cipher;Weak cipher;Medium
cipher (custom ov?
erride [Strong > Strong])
  TLS1_ADH_WITH_AES_128_SHA : Medium cipher;No cipher;Weak cipher;Strong
cipher (custom ov?
erride [Medium > Medium])
  TLS1_DHE_RSA_WITH_AES_128_SHA : Medium cipher;No cipher;Weak
cipher;Strong cipher (custo?
m override [Medium > Medium])
  TLS1_RSA_WITH_AES_128_SHA : Medium cipher;No cipher;Weak cipher;Strong
cipher (custom ov?
erride [Medium > Medium])
  TLS1_ECDH_anon_WITH_AES_256_CBC_SHA : Medium cipher;No cipher;Weak
cipher;Strong cipher ?
(custom override [Medium > Medium])
  TLS1_ECDH_anon_WITH_AES_128_CBC_SHA : Medium cipher;No cipher;Weak
cipher;Strong cipher ?
(custom override [Medium > Medium])
  TLS1_ECDHE_RSA_WITH_AES_256_CBC_SHA : Medium cipher;No cipher;Weak
cipher;Strong cipher ?
(custom override [Medium > Medium])
  TLS1_ECDHE_RSA_WITH_AES_128_CBC_SHA : Medium cipher;No cipher;Weak
cipher;Strong cipher ?
(custom override [Medium > Medium])
  TLS1_ADH_WITH_CAMELLIA_256_CBC_SHA : Medium cipher;No cipher;Weak
cipher;Strong cipher (?
custom override [Medium > Medium])
  TLS1_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA : Medium cipher;No cipher;Weak
cipher;Strong ciph?
er (custom override [Medium > Medium])
  TLS1_RSA_WITH_CAMELLIA_256_CBC_SHA : Medium cipher;No cipher;Weak
cipher;Strong cipher (?
custom override [Medium > Medium])
  TLS1_ADH_WITH_CAMELLIA_128_CBC_SHA : Medium cipher;No cipher;Weak
cipher;Strong cipher (?
custom override [Medium > Medium])
  TLS1_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA : Medium cipher;No cipher;Weak
cipher;Strong ciph?
er (custom override [Medium > Medium])
  TLS1_RSA_WITH_CAMELLIA_128_CBC_SHA : Medium cipher;No cipher;Weak
cipher;Strong cipher (?
custom override [Medium > Medium])
  TLS1_ADH_DES_192_CBC_SHA : Medium cipher;No cipher;Weak cipher;Strong
cipher (custom ove?
rride [Medium > Medium])
  TLS_1_2_ECDHE_RSA_WITH_AES_128_GCM_SHA256 : Medium cipher;No
cipher;Weak cipher;Strong c?
ipher (custom override [Medium > Medium])
  TLS_1_2_ECDHE_RSA_WITH_AES_128_CBC_SHA256 : Medium cipher;No
cipher;Weak cipher;Strong c?
ipher (custom override [Medium > Medium])
  TLS_1_2_DH_anon_WITH_AES_128_GCM_SHA256 : Medium cipher;No cipher;Weak
cipher;Strong cip?
her (custom override [Medium > Medium])
  TLS_1_2_DH_anon_WITH_AES_256_CBC_SHA256 : Medium cipher;No cipher;Weak
cipher;Strong cip?
her (custom override [Medium > Medium])
  TLS_1_2_DH_anon_WITH_AES_128_CBC_SHA256 : Medium cipher;No cipher;Weak
cipher;Strong cip?
her (custom override [Medium > Medium])
  TLS_1_2_RSA_WITH_AES_128_GCM_SHA256 : Medium cipher;No cipher;Weak
cipher;Strong cipher ?
(custom override [Medium > Medium])
  TLS_1_2_DHE_RSA_WITH_AES_128_GCM_SHA256 : Medium cipher;No cipher;Weak
cipher;Strong cip?
her (custom override [Medium > Medium])
  TLS_1_2_DHE_RSA_WITH_AES_256_CBC_SHA256 : Medium cipher;No cipher;Weak
cipher;Strong cip?
her (custom override [Medium > Medium])
  TLS_1_2_DHE_RSA_WITH_AES_128_CBC_SHA256 : Medium cipher;No cipher;Weak
cipher;Strong cip?
her (custom override [Medium > Medium])
  TLS_1_2_RSA_WITH_AES_256_CBC_SHA256 : Medium cipher;No cipher;Weak
cipher;Strong cipher ?
(custom override [Medium > Medium])
  TLS_1_2_RSA_WITH_AES_128_CBC_SHA256 : Medium cipher;No cipher;Weak
cipher;Strong cipher ?
(custom override [Medium > Medium])
  TLS_1_2_ECDHE_RSA_WITH_AES_256_GCM_SHA384 : Medium cipher;No
cipher;Weak cipher;Strong c?
ipher (custom override [Medium > Medium])
  TLS_1_2_ECDHE_RSA_WITH_AES_256_CBC_SHA384 : Medium cipher;No
cipher;Weak cipher;Strong c?
ipher (custom override [Medium > Medium])
  TLS_1_2_DH_anon_WITH_AES_256_GCM_SHA384 : Medium cipher;No cipher;Weak
cipher;Strong cip?
her (custom override [Medium > Medium])
  TLS_1_2_RSA_WITH_AES_256_GCM_SHA384 : Medium cipher;No cipher;Weak
cipher;Strong cipher ?
(custom override [Medium > Medium])
  TLS_1_2_DHE_RSA_WITH_AES_256_GCM_SHA384 : Medium cipher;No cipher;Weak
cipher;Strong cip?
her (custom override [Medium > Medium])
  TLS_1_2_DHE_RSA_WITH_AES_256_CBC_SHA : Medium cipher;No cipher;Weak
cipher;Strong cipher?
 (custom override [Medium > Medium])
  TLS_1_2_DHE_RSA_WITH_AES_128_CBC_SHA : Medium cipher;No cipher;Weak
cipher;Strong cipher?
 (custom override [Medium > Medium])
  TLS_1_2_RSA_WITH_AES_256_CBC_SHA : Medium cipher;No cipher;Weak
cipher;Strong cipher (cu?
stom override [Medium > Medium])
  TLS_1_2_RSA_WITH_AES_128_CBC_SHA : Medium cipher;No cipher;Weak
cipher;Strong cipher (cu?
stom override [Medium > Medium])
  TLS_1_2_RSA_WITH_3DES_EDE_CBC_SHA : Medium cipher;No cipher;Weak
cipher;Strong cipher (c?
ustom override [Medium > Medium])

Lösung

The configuration of this services should be changed so that it does not
support the listed weak ciphers anymore.
Schwachstellen-Einblick

These rules are applied for the evaluation of the cryptographic strength:

- Any SSL/TLS using no cipher is considered weak.

- All SSLv2 ciphers are considered weak due to a design flaw within the
SSLv2 protocol.

- RC4 is considered to be weak.

- Ciphers using 64 bit or less are considered to be vulnerable to brute
force methods and therefore considered as weak.

- 1024 bit RSA authentication is considered to be insecure and therefore
as weak.

- CBC ciphers in TLS < 1.2 are considered to be vulnerable to the BEAST
or Lucky 13 attacks

- Any cipher considered to be secure for only the next 10 years is
considered as medium

- Any other cipher is considered as strong
Methode zur Schwachstellenerkennung

Details: Check for SSL Weak Ciphers (OID: 1.3.6.1.4.1.25623.1.0.103440)

Benutzte Version: $Revision: 3061 $



_______________________________________________
Openvas-discuss mailing list
[email protected]
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss



--

Reindl Harald
the lounge interactive design GmbH
A-1060 Vienna, Hofmühlgasse 17
CTO / CISO / Software-Development
m: +43 (676) 40 221 40, p: +43 (1) 595 3999 33
icq: 154546673, http://www.thelounge.net/

http://www.thelounge.net/signature.asc.what.htm




Attachment:
signature.asc

Description: OpenPGP digital signature


_______________________________________________
Openvas-discuss mailing list
[email protected]
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss





















					Reply via email to