SSL Anonymous Cipher Suites Supported
Posted: Thu Jan 05, 2012 3:46 pm
Nessus reported the following threat from Zimbra. Does anyone know how to correct?
Thanks.
Summary:
SSL Anonymous Cipher Suites Supported
Risk: High (3)
Type: Nessus
Port: 465
Protocol: TCP
Threat ID: 131705
Information From Target:
The remote server supports the following anonymous SSL ciphers :
ADH-DES-CBC3-SHA Kx=DH Au=None Enc=3DES(168) Mac=SHA1
ADH-RC4-MD5 Kx=DH Au=None Enc=RC4(128) Mac=MD5
ADH-DES-CBC3-SHA Kx=DH Au=None Enc=3DES(168) Mac=SHA1
ADH-AES128-SHA Kx=DH Au=None Enc=AES(128) Mac=SHA1
ADH-AES256-SHA Kx=DH Au=None Enc=AES(256) Mac=SHA1
ADH-CAMELLIA128-SHA Kx=DH Au=None Enc=Camellia(128) Mac=SHA1
ADH-CAMELLIA256-SHA Kx=DH Au=None Enc=Camellia(256) Mac=SHA1
ADH-RC4-MD5 Kx=DH Au=None Enc=RC4(128) Mac=MD5
n/a Kx=DH Au=None Enc=SEED(128) Mac=SHA1
The fields above are :
{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}
Solution:
Reconfigure the affected application if possible to avoid use of weak
ciphers.
Details:
The remote host supports the use of anonymous SSL ciphers. While this enables an administrator to set up a service that encrypts traffic without having to generate and configure SSL certificates, it offers no way to verify the remote host's identity and renders the service vulnerable to a man-in-the-middle attack.
Thanks.
Summary:
SSL Anonymous Cipher Suites Supported
Risk: High (3)
Type: Nessus
Port: 465
Protocol: TCP
Threat ID: 131705
Information From Target:
The remote server supports the following anonymous SSL ciphers :
ADH-DES-CBC3-SHA Kx=DH Au=None Enc=3DES(168) Mac=SHA1
ADH-RC4-MD5 Kx=DH Au=None Enc=RC4(128) Mac=MD5
ADH-DES-CBC3-SHA Kx=DH Au=None Enc=3DES(168) Mac=SHA1
ADH-AES128-SHA Kx=DH Au=None Enc=AES(128) Mac=SHA1
ADH-AES256-SHA Kx=DH Au=None Enc=AES(256) Mac=SHA1
ADH-CAMELLIA128-SHA Kx=DH Au=None Enc=Camellia(128) Mac=SHA1
ADH-CAMELLIA256-SHA Kx=DH Au=None Enc=Camellia(256) Mac=SHA1
ADH-RC4-MD5 Kx=DH Au=None Enc=RC4(128) Mac=MD5
n/a Kx=DH Au=None Enc=SEED(128) Mac=SHA1
The fields above are :
{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}
Solution:
Reconfigure the affected application if possible to avoid use of weak
ciphers.
Details:
The remote host supports the use of anonymous SSL ciphers. While this enables an administrator to set up a service that encrypts traffic without having to generate and configure SSL certificates, it offers no way to verify the remote host's identity and renders the service vulnerable to a man-in-the-middle attack.