SSL/TLS Beneficial Cipher Suites (PCI DSS) Vulnerability
Severity : MEDIUM
Tenable PLUGIN ID: 159543
Background
Our vulnerbaility scan discovered this situation. Some ssl/tls ports are utilizing unsecure cipher suites similar to:
- ECDHE-RSA-AES256-SHA
- ECDHE-RSA-AES256-SHA384
The distant host has open SSL/TLS ports which promote discouraged cipher suites. It is strongly recommended to solely allow help for the next cipher suites:
TLSv1.3:
– 0x13,0x01 TLS13_AES_128_GCM_SHA256
– 0x13,0x02 TLS13_AES_256_GCM_SHA384
– 0x13,0x03 TLS13_CHACHA20_POLY1305_SHA256
TLSv1.2:
– 0xC0,0x2B ECDHE-ECDSA-AES128-GCM-SHA256
– 0xC0,0x2F ECDHE-RSA-AES128-GCM-SHA256
– 0xC0,0x2C ECDHE-ECDSA-AES256-GCM-SHA384
– 0xC0,0x30 ECDHE-RSA-AES256-GCM-SHA384
– 0xCC,0xA9 ECDHE-ECDSA-CHACHA20-POLY1305
– 0xCC,0xA8 ECDHE-RSA-CHACHA20-POLY1305
– 0xCC,0xAA DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
That is the beneficial configuration for the overwhelming majority of companies, as it’s extremely safe and appropriate with almost each consumer launched within the final 5 (or extra) years.
Solely allow help for beneficial cipher suites.
The distant host has listening SSL/TLS ports which promote the discouraged cipher suites outlined beneath:
Excessive Energy Ciphers (>= 112-bit key)
Title Code KEX Auth Encryption MAC
———————- ———- — —- ——————— —
ECDHE-RSA-AES256-SHA 0xC0, 0x14 ECDH RSA AES-CBC(256) SHA1
ECDHE-RSA-AES256-SHA384 0xC0, 0x28 ECDH RSA AES-CBC(256) SHA384
The fields above are :
{Tenable ciphername}
{Cipher ID code}
Kex={key alternate}
Auth={authentication}
Encrypt={symmetric encryption methodology}
MAC={message authentication code}
{export flag}
Verification
Discover the cipher utilizing Chrome
- Launch Chrome.
- Enter the URL you want to test within the browser.
- Click on on the ellipsis situated on the top-right within the browser.
- Choose Extra instruments > Developer instruments > Safety.
- Search for the road “Connection…”. This may describe the model of TLS or SSL used.
Testing Utilizing Free On-line Providers
https://hackertarget.com/ssl-check/
Since it’s Nginx service. Right here is the remediation configuraiton for this situation taking place on port 443.
server {
pay attention 443 default_server ssl; # 该 server 监听的地址(必填)
ssl_certificate /usr/native/nginx/conf/ssl/*.cer;
ssl_certificate_key /usr/native/nginx/conf/ssl/*key;
ssl_session_timeout 5m;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:20m;
# 返回 403 Forbidden
location / {
return 403;
}
}
server {
pay attention 80 default;
return 301 https://$host$request_uri;
}
References
- https://www.ssllabs.com/ssltest/
