Re: [Openvas-discuss] OpenVAS Check for SSL Weak Ciphers

2016-12-23 Thread Christian Fischer 
Hi,

On 22.12.2016 16:04, Madden, Joe wrote:
> Just wanted to know if these ciphers are indeed vulnerable or it's be raised 
> due to the 10 Year life cycle.

hope you have seen my answer between this discussion?

With the next feed update you will also find a new NVT (OID:
1.3.6.1.4.1.25623.1.0.108031) reporting this cipher suites separately
and only for HTTPS services. The 3DES/DES cipher suites are also showing
up as "Medium" ciphers again for every other service.

Regards,

-- 

Christian Fischer | Greenbone Networks GmbH | http://greenbone.net
Neuer Graben 17, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] OpenVAS Check for SSL Weak Ciphers

2016-12-22 Thread Madden, Joe 
Hi,

Didn't mean to start a discussion about this to be honest. Just wanted to know 
if these ciphers are indeed vulnerable or it's be raised due to the 10 Year 
life cycle.

Cheers

Joe
-Original Message-
From: Openvas-discuss [mailto:openvas-discuss-boun...@wald.intevation.org] On 
Behalf Of Reindl Harald
Sent: 22 December 2016 14:22
To: openvas-discuss@wald.intevation.org
Subject: Re: [Openvas-discuss] OpenVAS Check for SSL Weak Ciphers



Am 22.12.2016 um 13:38 schrieb Eero Volotinen:
> Well, TLSv1.2 is nowdays supported very well:
>
> https://en.wikipedia.org/wiki/Template:TLS/SSL_support_history_of_web_
> browsers
>
> It even works on IE.

again: in your small world

in the real world there are even clients which are not operated by humans

some are written in java, probably run a oldr java version and then you have 
even to take care that your DHE params are not too big since those clients 
don't support ECDHE

some are runnng on really old hardware

it' pure stupidity to call out a server with SSLHonorCipherOrder and 
compatibility ciphers at the end of SSLCipherSuite since no recent client has a 
point falling back at those ciphers

the support in clients for old and unsecure things has to be removed instead 
the ongoing piss-contest against server admins which try to support old client 
software instead enforce them to use no exncraption at all

> 2016-12-22 13:36 GMT+02:00 Reindl Harald <h.rei...@thelounge.net
> <mailto:h.rei...@thelounge.net>>:
>
>
>
> Am 21.12.2016 um 18:45 schrieb Eero Volotinen:
>
> Is there any reason to support other than TLSv1.2 protocols?
>
>
> in your small world probably not
>
> in the real world where you ar enot in the position to update every
> mailclient of every customer or even every operating system and it's
> browsers of website visitors it is
>
> there is no reason that a recent client would fall back to 3DES
> other than a major bug in that client which needs to be fixed there
> and not on the server side
>
> 2016-12-20 18:09 GMT+02:00 Madden, Joe <joe.mad...@mottmac.com
> <mailto:joe.mad...@mottmac.com>
> <mailto:joe.mad...@mottmac.com <mailto:joe.mad...@mottmac.com>>>:
>
> Hi,
>
> __ __
>
> Our openvas is showing the following ciphers as a medimum
> risk:
>
> __ __
>
>   TLS1_0_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
>
>   TLS1_0_DHE_RSA_WITH_3DES_EDE_CBC_SHA
>
>   TLS1_0_RSA_WITH_3DES_EDE_CBC_SHA
>
>   TLS1_1_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
>
>   TLS1_1_DHE_RSA_WITH_3DES_EDE_CBC_SHA
>
>   TLS1_1_RSA_WITH_3DES_EDE_CBC_SHA
>
>   TLS1_2_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
>
>   TLS1_2_DHE_RSA_WITH_3DES_EDE_CBC_SHA
>
>   TLS1_2_RSA_WITH_3DES_EDE_CBC_SHA
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] OpenVAS Check for SSL Weak Ciphers

2016-12-22 Thread Eero Volotinen 
Well, TLSv1.2 is nowdays supported very well:

https://en.wikipedia.org/wiki/Template:TLS/SSL_support_history_of_web_browsers

It even works on IE.

--
Eero

2016-12-22 13:36 GMT+02:00 Reindl Harald :

>
>
> Am 21.12.2016 um 18:45 schrieb Eero Volotinen:
>
>> Is there any reason to support other than TLSv1.2 protocols?
>>
>
> in your small world probably not
>
> in the real world where you ar enot in the position to update every
> mailclient of every customer or even every operating system and it's
> browsers of website visitors it is
>
> there is no reason that a recent client would fall back to 3DES other than
> a major bug in that client which needs to be fixed there and not on the
> server side
>
> 2016-12-20 18:09 GMT+02:00 Madden, Joe > >:
>>
>> Hi,
>>
>> __ __
>>
>> Our openvas is showing the following ciphers as a medimum risk:
>>
>> __ __
>>
>>   TLS1_0_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
>>
>>   TLS1_0_DHE_RSA_WITH_3DES_EDE_CBC_SHA
>>
>>   TLS1_0_RSA_WITH_3DES_EDE_CBC_SHA
>>
>>   TLS1_1_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
>>
>>   TLS1_1_DHE_RSA_WITH_3DES_EDE_CBC_SHA
>>
>>   TLS1_1_RSA_WITH_3DES_EDE_CBC_SHA
>>
>>   TLS1_2_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
>>
>>   TLS1_2_DHE_RSA_WITH_3DES_EDE_CBC_SHA
>>
>>   TLS1_2_RSA_WITH_3DES_EDE_CBC_SHA
>>
> ___
> Openvas-discuss mailing list
> Openvas-discuss@wald.intevation.org
> https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
>
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] OpenVAS Check for SSL Weak Ciphers

2016-12-22 Thread Reindl Harald 



Am 21.12.2016 um 18:45 schrieb Eero Volotinen:

Is there any reason to support other than TLSv1.2 protocols?


in your small world probably not

in the real world where you ar enot in the position to update every 
mailclient of every customer or even every operating system and it's 
browsers of website visitors it is


there is no reason that a recent client would fall back to 3DES other 
than a major bug in that client which needs to be fixed there and not on 
the server side



2016-12-20 18:09 GMT+02:00 Madden, Joe >:

Hi,

__ __

Our openvas is showing the following ciphers as a medimum risk:

__ __

  TLS1_0_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA

  TLS1_0_DHE_RSA_WITH_3DES_EDE_CBC_SHA

  TLS1_0_RSA_WITH_3DES_EDE_CBC_SHA

  TLS1_1_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA

  TLS1_1_DHE_RSA_WITH_3DES_EDE_CBC_SHA

  TLS1_1_RSA_WITH_3DES_EDE_CBC_SHA

  TLS1_2_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA

  TLS1_2_DHE_RSA_WITH_3DES_EDE_CBC_SHA

  TLS1_2_RSA_WITH_3DES_EDE_CBC_SHA

___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] OpenVAS Check for SSL Weak Ciphers

2016-12-22 Thread Eero Volotinen 
How about config like this:

SSLProtocol ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
SSLCipherSuite 
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS

Eero



2016-12-20 18:09 GMT+02:00 Madden, Joe :

> Hi,
>
>
>
> Our openvas is showing the following ciphers as a medimum risk:
>
>
>
>   TLS1_0_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
>
>   TLS1_0_DHE_RSA_WITH_3DES_EDE_CBC_SHA
>
>   TLS1_0_RSA_WITH_3DES_EDE_CBC_SHA
>
>   TLS1_1_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
>
>   TLS1_1_DHE_RSA_WITH_3DES_EDE_CBC_SHA
>
>   TLS1_1_RSA_WITH_3DES_EDE_CBC_SHA
>
>   TLS1_2_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
>
>   TLS1_2_DHE_RSA_WITH_3DES_EDE_CBC_SHA
>
>   TLS1_2_RSA_WITH_3DES_EDE_CBC_SHA
>
>
>
>
>
> Qualys SSL labs report these ciphers are secure and OK therefore I presume
> that these are either:
>
>
>
> 1)  Incorrect reported as vulnerable to Beast/Lucky13
>
> Or
>
> 2)  Being reported as  part of “Any cipher considered to be secure
> for only the next 10 years is considered as medium”
>
>
>
>
>
> Apache is set to use:
>
>
>
> SSLCipherSuite !ADH:!RC4-SHA:+HIGH:!MEDIUM:!LOW:!SSLv2:!EXPORT:ALL
>
>
>
>
>
> Latest patch levels for apache/OpenSSL.
>
>
>
> Can anyone clarify?
>
>
>
> Thanks
>
>
>
> Joe
>
>
>
> ___
> Openvas-discuss mailing list
> Openvas-discuss@wald.intevation.org
> https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
>
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] OpenVAS Check for SSL Weak Ciphers

2016-12-22 Thread Eero Volotinen 
Well.

Why you are using still 3DES ciphers? TLSv1.2 provides better chipers.. if
enabled?

--
Eero

2016-12-22 11:03 GMT+02:00 Madden, Joe <joe.mad...@mottmac.com>:

> No – But even as if the system was corrected to run only TLS 1.2 the
> following ciphers would still be marked as medium risk:
>
>
>
>   TLS1_2_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
>
>   TLS1_2_DHE_RSA_WITH_3DES_EDE_CBC_SHA
>
>   TLS1_2_RSA_WITH_3DES_EDE_CBC_SHA
>
>
>
>
>
> *From:* eero.t.voloti...@gmail.com [mailto:eero.t.voloti...@gmail.com] *On
> Behalf Of *Eero Volotinen
> *Sent:* 21 December 2016 17:45
> *To:* Madden, Joe <joe.mad...@mottmac.com>
> *Cc:* openvas-discuss <openvas-discuss@wald.intevation.org>
> *Subject:* Re: [Openvas-discuss] OpenVAS Check for SSL Weak Ciphers
>
>
>
> Is there any reason to support other than TLSv1.2 protocols?
>
>
>
> Eero
>
>
>
> 2016-12-20 18:09 GMT+02:00 Madden, Joe <joe.mad...@mottmac.com>:
>
> Hi,
>
>
>
> Our openvas is showing the following ciphers as a medimum risk:
>
>
>
>   TLS1_0_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
>
>   TLS1_0_DHE_RSA_WITH_3DES_EDE_CBC_SHA
>
>   TLS1_0_RSA_WITH_3DES_EDE_CBC_SHA
>
>   TLS1_1_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
>
>   TLS1_1_DHE_RSA_WITH_3DES_EDE_CBC_SHA
>
>   TLS1_1_RSA_WITH_3DES_EDE_CBC_SHA
>
>   TLS1_2_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
>
>   TLS1_2_DHE_RSA_WITH_3DES_EDE_CBC_SHA
>
>   TLS1_2_RSA_WITH_3DES_EDE_CBC_SHA
>
>
>
>
>
> Qualys SSL labs report these ciphers are secure and OK therefore I presume
> that these are either:
>
>
>
> 1)  Incorrect reported as vulnerable to Beast/Lucky13
>
> Or
>
> 2)  Being reported as  part of “Any cipher considered to be secure
> for only the next 10 years is considered as medium”
>
>
>
>
>
> Apache is set to use:
>
>
>
> SSLCipherSuite !ADH:!RC4-SHA:+HIGH:!MEDIUM:!LOW:!SSLv2:!EXPORT:ALL
>
>
>
>
>
> Latest patch levels for apache/OpenSSL.
>
>
>
> Can anyone clarify?
>
>
>
> Thanks
>
>
>
> Joe
>
>
>
>
> ___
> Openvas-discuss mailing list
> Openvas-discuss@wald.intevation.org
> https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
>
>
>
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] OpenVAS Check for SSL Weak Ciphers

2016-12-22 Thread Madden, Joe 
No – But even as if the system was corrected to run only TLS 1.2 the following 
ciphers would still be marked as medium risk:

  TLS1_2_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
  TLS1_2_DHE_RSA_WITH_3DES_EDE_CBC_SHA
  TLS1_2_RSA_WITH_3DES_EDE_CBC_SHA


From: eero.t.voloti...@gmail.com [mailto:eero.t.voloti...@gmail.com] On Behalf 
Of Eero Volotinen
Sent: 21 December 2016 17:45
To: Madden, Joe <joe.mad...@mottmac.com>
Cc: openvas-discuss <openvas-discuss@wald.intevation.org>
Subject: Re: [Openvas-discuss] OpenVAS Check for SSL Weak Ciphers

Is there any reason to support other than TLSv1.2 protocols?

Eero

2016-12-20 18:09 GMT+02:00 Madden, Joe 
<joe.mad...@mottmac.com<mailto:joe.mad...@mottmac.com>>:
Hi,

Our openvas is showing the following ciphers as a medimum risk:

  TLS1_0_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
  TLS1_0_DHE_RSA_WITH_3DES_EDE_CBC_SHA
  TLS1_0_RSA_WITH_3DES_EDE_CBC_SHA
  TLS1_1_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
  TLS1_1_DHE_RSA_WITH_3DES_EDE_CBC_SHA
  TLS1_1_RSA_WITH_3DES_EDE_CBC_SHA
  TLS1_2_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
  TLS1_2_DHE_RSA_WITH_3DES_EDE_CBC_SHA
  TLS1_2_RSA_WITH_3DES_EDE_CBC_SHA


Qualys SSL labs report these ciphers are secure and OK therefore I presume that 
these are either:


1)  Incorrect reported as vulnerable to Beast/Lucky13
Or

2)  Being reported as  part of “Any cipher considered to be secure for only 
the next 10 years is considered as medium”


Apache is set to use:

SSLCipherSuite !ADH:!RC4-SHA:+HIGH:!MEDIUM:!LOW:!SSLv2:!EXPORT:ALL


Latest patch levels for apache/OpenSSL.

Can anyone clarify?

Thanks

Joe


___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org<mailto:Openvas-discuss@wald.intevation.org>
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] OpenVAS Check for SSL Weak Ciphers

2016-12-21 Thread Eero Volotinen 
Is there any reason to support other than TLSv1.2 protocols?

Eero

2016-12-20 18:09 GMT+02:00 Madden, Joe :

> Hi,
>
>
>
> Our openvas is showing the following ciphers as a medimum risk:
>
>
>
>   TLS1_0_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
>
>   TLS1_0_DHE_RSA_WITH_3DES_EDE_CBC_SHA
>
>   TLS1_0_RSA_WITH_3DES_EDE_CBC_SHA
>
>   TLS1_1_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
>
>   TLS1_1_DHE_RSA_WITH_3DES_EDE_CBC_SHA
>
>   TLS1_1_RSA_WITH_3DES_EDE_CBC_SHA
>
>   TLS1_2_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
>
>   TLS1_2_DHE_RSA_WITH_3DES_EDE_CBC_SHA
>
>   TLS1_2_RSA_WITH_3DES_EDE_CBC_SHA
>
>
>
>
>
> Qualys SSL labs report these ciphers are secure and OK therefore I presume
> that these are either:
>
>
>
> 1)  Incorrect reported as vulnerable to Beast/Lucky13
>
> Or
>
> 2)  Being reported as  part of “Any cipher considered to be secure
> for only the next 10 years is considered as medium”
>
>
>
>
>
> Apache is set to use:
>
>
>
> SSLCipherSuite !ADH:!RC4-SHA:+HIGH:!MEDIUM:!LOW:!SSLv2:!EXPORT:ALL
>
>
>
>
>
> Latest patch levels for apache/OpenSSL.
>
>
>
> Can anyone clarify?
>
>
>
> Thanks
>
>
>
> Joe
>
>
>
> ___
> Openvas-discuss mailing list
> Openvas-discuss@wald.intevation.org
> https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
>
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss