SSL Anonymous Cipher Suites Supported

PastorOfMuppets · Post by **PastorOfMuppets** » Thu Jan 05, 2012 3:46 pm

Nessus reported the following threat from Zimbra. Does anyone know how to correct?
Thanks.
Summary:

SSL Anonymous Cipher Suites Supported
Risk: High (3)

Type: Nessus

Port: 465

Protocol: TCP

Threat ID: 131705
Information From Target:

The remote server supports the following anonymous SSL ciphers :
ADH-DES-CBC3-SHA Kx=DH Au=None Enc=3DES(168) Mac=SHA1

ADH-RC4-MD5 Kx=DH Au=None Enc=RC4(128) Mac=MD5

ADH-DES-CBC3-SHA Kx=DH Au=None Enc=3DES(168) Mac=SHA1

ADH-AES128-SHA Kx=DH Au=None Enc=AES(128) Mac=SHA1

ADH-AES256-SHA Kx=DH Au=None Enc=AES(256) Mac=SHA1

ADH-CAMELLIA128-SHA Kx=DH Au=None Enc=Camellia(128) Mac=SHA1

ADH-CAMELLIA256-SHA Kx=DH Au=None Enc=Camellia(256) Mac=SHA1

ADH-RC4-MD5 Kx=DH Au=None Enc=RC4(128) Mac=MD5

n/a Kx=DH Au=None Enc=SEED(128) Mac=SHA1
The fields above are :
{OpenSSL ciphername}

Kx={key exchange}

Au={authentication}

Enc={symmetric encryption method}

Mac={message authentication code}

{export flag}
Solution:

Reconfigure the affected application if possible to avoid use of weak

ciphers.
Details:
The remote host supports the use of anonymous SSL ciphers. While this enables an administrator to set up a service that encrypts traffic without having to generate and configure SSL certificates, it offers no way to verify the remote host's identity and renders the service vulnerable to a man-in-the-middle attack.

yasanthau · Post by **yasanthau** » Sun Jun 09, 2013 11:45 pm

I also have same issue.

quanah · Post by **quanah** » Mon Jun 10, 2013 11:14 am

This is a bogus report. I suggest you contact Nessus and ask them to fix their software. This does not affect SMTP/SMTPS (which is what port 465 is).