Hello,
I recently had a Retina scan of my system and there are some findings I do not understand.
- SSL Week Cipher Strength Supported - Retina has detected that the targeted SSL Service supports a cryptographically weak cipher strength... Disable ciphers that support less than 128-bit cipher strength. Reconfigure the affected application to use a high-grade encryption cipher.
- SSL Week Cipher Supported - Retina has detected that the targeted SSL Service supports cryptographically weak encryption ciphers... Disable ciphers that support less than 128-bit cipher strength. Reconfigure the affected application to use a high-grade encryption cipher.
I cannot find anything online about disabling a cipher. Also, what is the "affected application"? Is it Solaris.
Finally, if I were to disable the weak ciphers, will I still be able to log into the server using Putty and how will it affect my network connections. We are using Samba 3.0 running on Solaris 10 and connecting to XP workstations.
Any help would be greatly appreciated. Thanks in advance.
Ken
Ken,
Something to note about automated security scans (Retina, Nessus etc) is that they can give false-positives. The results of such scans still need to be interpreted by someone who understands the system's configuration, the impact of potential vulnerabilities and what compensating controls might be in place that mitigate the threat.
In terms of disabling weak ciphers and otherwise bolstering the security of the various services on the Solaris box, we need to know what it's actually running. Is your Solaris machine actually a Samba server which presents file shares to the XP systems, or acting as a client to a fileshare on an XP machine? Perhaps your Solaris machine is also a Web server? If you don't know what is running on your Solaris systems or how to find this out, I strongly recommend reading the Oracle Solaris 10 System Administrator Collection manuals which are part of the Solaris 10 Documentation.
Regarding Putty, I'll make an assumption here that you're connecting to the Solaris box via SSH, rather than Telnet or serial console. To better secure SSH, require public-key authentication and disallow remote logins from root. You *can* specify the ciphers in Protocol v2 sshd configs, but I would leave it well enough alone. Moving the SSH service from 22/tcp to something else (e.g. 3344/tcp) won't make you more secure, but should keep your auth logs quieter from attempted logins/automated scans if this box has its interface on a public network.
Nick
DraconianTimes,
Thanks for the response and sorry it has taken me so long to get back. I put this on the backburner for a while to attend other issues.
I believe I have fixed the problem. We are running Samba and our server is only a domain server. I used the following command to meet requirements:
openssl ciphers -v SSLv3+MEDIUM+HIGH:!SSLv2:!aNULL:!eNULL:@STRENGTH
This enables only SSLv3 ciphers of 128 bit encrytion and higher, disables all others, including null ciphers and sorts the output by by strength. I am still able to SSH into the server via Putty and login over the network. If I run into other problems, I can always loosen it back up. There were 18 encryption algorythms running on our server that were 64-bit or less. Thanks again.
Ken
2 Likes
I also had the need to tighten the encryption on my server. I did so, but I have apparently caused one developers code to stop working - he needs SSLv2, etc. I'd like to just "reset" OpenSSL to default on the cipher front - anyone know how I can do that? I just want to reset to "factory standards".
Any help, at all, on this, would be greatly appreciated.
regards,
Jared
This should work for you:
openssl ciphers -v DEFAULT