Danke "SSLCipherSuite HIGH:!MD5:!aNULL:!EDH:!AESGCM:!SSLV2:!eNULL" ab sofort aktiv
Hat sich wohl beim Scan im Sommer eingeschlichen wo "unterstützt schwache Verschlüsselung" im selben Kontext kritisiert wurde und ich damit "SSLCipherSuite HIGH" gesetzt habe was dann erstaunlicherweise als korrigiert gewertet wurde Warum "unterstützt" finally als "Massnahmen erforderlich" gewertet wird obwohl "wenn möglich" im Bericht steht ist ein anderes Thema *seufz* --- sslscan1.txt 2011-12-02 10:21:33.671326934 +0100 +++ sslscan2.txt 2011-12-02 10:26:58.550918013 +0100 @@ -17,31 +17,31 @@ Rejected SSLv2 56 bits DES-CBC-MD5 Rejected SSLv2 40 bits EXP-RC2-CBC-MD5 Rejected SSLv2 40 bits EXP-RC4-MD5 - Accepted SSLv3 256 bits DHE-RSA-AES256-SHA + Rejected SSLv3 256 bits DHE-RSA-AES256-SHA Rejected SSLv3 256 bits DHE-DSS-AES256-SHA - Accepted SSLv3 256 bits DHE-RSA-CAMELLIA256-SHA + Rejected SSLv3 256 bits DHE-RSA-CAMELLIA256-SHA Rejected SSLv3 256 bits DHE-DSS-CAMELLIA256-SHA - Accepted SSLv3 256 bits ADH-AES256-SHA - Accepted SSLv3 256 bits ADH-CAMELLIA256-SHA + Rejected SSLv3 256 bits ADH-AES256-SHA + Rejected SSLv3 256 bits ADH-CAMELLIA256-SHA Accepted SSLv3 256 bits AES256-SHA Accepted SSLv3 256 bits CAMELLIA256-SHA Failed SSLv3 256 bits PSK-AES256-CBC-SHA - Accepted SSLv3 168 bits EDH-RSA-DES-CBC3-SHA + Rejected SSLv3 168 bits EDH-RSA-DES-CBC3-SHA Rejected SSLv3 168 bits EDH-DSS-DES-CBC3-SHA - Accepted SSLv3 168 bits ADH-DES-CBC3-SHA + Rejected SSLv3 168 bits ADH-DES-CBC3-SHA Accepted SSLv3 168 bits DES-CBC3-SHA Failed SSLv3 168 bits PSK-3DES-EDE-CBC-SHA Failed SSLv3 168 bits KRB5-DES-CBC3-SHA Failed SSLv3 168 bits KRB5-DES-CBC3-MD5 - Accepted SSLv3 128 bits DHE-RSA-AES128-SHA + Rejected SSLv3 128 bits DHE-RSA-AES128-SHA Rejected SSLv3 128 bits DHE-DSS-AES128-SHA Rejected SSLv3 128 bits DHE-RSA-SEED-SHA Rejected SSLv3 128 bits DHE-DSS-SEED-SHA - Accepted SSLv3 128 bits DHE-RSA-CAMELLIA128-SHA + Rejected SSLv3 128 bits DHE-RSA-CAMELLIA128-SHA Rejected SSLv3 128 bits DHE-DSS-CAMELLIA128-SHA - Accepted SSLv3 128 bits ADH-AES128-SHA + Rejected SSLv3 128 bits ADH-AES128-SHA Rejected SSLv3 128 bits ADH-SEED-SHA - Accepted SSLv3 128 bits ADH-CAMELLIA128-SHA + Rejected SSLv3 128 bits ADH-CAMELLIA128-SHA Accepted SSLv3 128 bits AES128-SHA Rejected SSLv3 128 bits SEED-SHA Accepted SSLv3 128 bits CAMELLIA128-SHA @@ -73,31 +73,31 @@ Failed SSLv3 40 bits EXP-KRB5-RC4-MD5 Rejected SSLv3 0 bits NULL-SHA Rejected SSLv3 0 bits NULL-MD5 - Accepted TLSv1 256 bits DHE-RSA-AES256-SHA + Rejected TLSv1 256 bits DHE-RSA-AES256-SHA Rejected TLSv1 256 bits DHE-DSS-AES256-SHA - Accepted TLSv1 256 bits DHE-RSA-CAMELLIA256-SHA + Rejected TLSv1 256 bits DHE-RSA-CAMELLIA256-SHA Rejected TLSv1 256 bits DHE-DSS-CAMELLIA256-SHA - Accepted TLSv1 256 bits ADH-AES256-SHA - Accepted TLSv1 256 bits ADH-CAMELLIA256-SHA + Rejected TLSv1 256 bits ADH-AES256-SHA + Rejected TLSv1 256 bits ADH-CAMELLIA256-SHA Accepted TLSv1 256 bits AES256-SHA Accepted TLSv1 256 bits CAMELLIA256-SHA Failed TLSv1 256 bits PSK-AES256-CBC-SHA - Accepted TLSv1 168 bits EDH-RSA-DES-CBC3-SHA + Rejected TLSv1 168 bits EDH-RSA-DES-CBC3-SHA Rejected TLSv1 168 bits EDH-DSS-DES-CBC3-SHA - Accepted TLSv1 168 bits ADH-DES-CBC3-SHA + Rejected TLSv1 168 bits ADH-DES-CBC3-SHA Accepted TLSv1 168 bits DES-CBC3-SHA Failed TLSv1 168 bits PSK-3DES-EDE-CBC-SHA Failed TLSv1 168 bits KRB5-DES-CBC3-SHA Failed TLSv1 168 bits KRB5-DES-CBC3-MD5 - Accepted TLSv1 128 bits DHE-RSA-AES128-SHA + Rejected TLSv1 128 bits DHE-RSA-AES128-SHA Rejected TLSv1 128 bits DHE-DSS-AES128-SHA Rejected TLSv1 128 bits DHE-RSA-SEED-SHA Rejected TLSv1 128 bits DHE-DSS-SEED-SHA - Accepted TLSv1 128 bits DHE-RSA-CAMELLIA128-SHA + Rejected TLSv1 128 bits DHE-RSA-CAMELLIA128-SHA Rejected TLSv1 128 bits DHE-DSS-CAMELLIA128-SHA - Accepted TLSv1 128 bits ADH-AES128-SHA + Rejected TLSv1 128 bits ADH-AES128-SHA Rejected TLSv1 128 bits ADH-SEED-SHA - Accepted TLSv1 128 bits ADH-CAMELLIA128-SHA + Rejected TLSv1 128 bits ADH-CAMELLIA128-SHA Accepted TLSv1 128 bits AES128-SHA Rejected TLSv1 128 bits SEED-SHA Accepted TLSv1 128 bits CAMELLIA128-SHA @@ -131,8 +131,8 @@ Rejected TLSv1 0 bits NULL-MD5 [34mPrefered Server Cipher(s):[0m - SSLv3 256 bits DHE-RSA-AES256-SHA - TLSv1 256 bits DHE-RSA-AES256-SHA + SSLv3 256 bits AES256-SHA + TLSv1 256 bits AES256-SHA [34mSSL Certificate:[0m Version: 2 Am 02.12.2011 09:06, schrieb Mario Brandt: > Hallo Reindl, > das Problem ist Au=None > > Das kann mit SSLCipherSuite behoben werden, wenn kann Au=None > verbietet mit !aNULL > > Beispiel > > SSLProtocol all -SSLv2 > SSLHonorCipherOrder On > SSLCipherSuite > ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM:!SSLV2:!eNULL > SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown > > Diese Config ist auch imun gegen CVE-2011-3389 / beast attack. Hat > allerdings den Nachteil, dass im Grunde alle Clients "nur" 128 bit > Verschlüsselung nutzen und nicht mehr 256. > > Gruß > Mario > > 2011/12/1 Reindl Harald <h.rei...@thelounge.net>: >> Hi >> >> Warum bekomme ich bei einem Scan eines Dienstleisters mit folgender >> Konfiguration den Report unten zurück? >> _________________________________________________________ >> >> SSLEngine On >> SSLProtocol All -SSLv2 >> SSLCipherSuite HIGH >> SSLVerifyClient Off >> SSLVerifyDepth 10 >> _________________________________________________________ >> >> mittleres Risiko [ TCP 443 ]: SSL Anonymous Cipher Suites Supported >> Das untersuchte System unterstützt anonyme SSL-Cipher. Dies ermöglicht einem >> Administrator >> zwar, die SSL-Verschlüsselung zu verwenden, ohne ein Zertifikat zu >> beantragen bzw. zu >> generieren, doch ist es einem Client so unmöglich, die Identität des Hosts >> zu verifizieren. Dadurch >> sind Man-in-the-middle Angriffe auf solche Verbindungen möglich. >> >> Ausgabe: >> The remote server supports the following anonymous SSL ciphers : >> ADH-DES-CBC3-SHA >> ADH-DES-CBC3-SHA >> ADH-AES128-SHA >> ADH-AES256-SHA >> ADH-CAMELLIA128-SHA >> ADH-CAMELLIA256-SHA >> Kx=DH >> Kx=DH >> Kx=DH >> Kx=DH >> Kx=DH >> Kx=DH >> Au=None >> Au=None >> Au=None >> Au=None >> Au=None >> Au=None >> Enc=3DES(168) >> Mac=SHA1 >> Enc=3DES(168) >> Mac=SHA1 >> Enc=AES(128) >> Mac=SHA1 >> Enc=AES(256) >> Mac=SHA1 >> Enc=Camellia(128) Mac=SHA1 >> Enc=Camellia(256) Mac=SHA1 >> The fields above are : >> {OpenSSL ciphername} >> Kx={key exchange} >> Au={authentication} >> Enc={symmetric encryption method} >> >> -- >> >> Reindl Harald >> the lounge interactive design GmbH >> A-1060 Vienna, Hofmühlgasse 17 >> CTO / software-development / cms-solutions >> p: +43 (1) 595 3999 33, m: +43 (676) 40 221 40 >> icq: 154546673, http://www.thelounge.net/ >> >> http://www.thelounge.net/signature.asc.what.htm
signature.asc
Description: OpenPGP digital signature