Back to search

TLS/SSL Server Supports Weak Cipher Algorithms

Severity CVSS Published Added Modified
6 (AV:N/AC:M/Au:N/C:P/I:P/A:N) January 01, 1996 February 12, 2009 December 04, 2013

Description

The TLS/SSL server supports cipher suites based on weak algorithms. This may enable an attacker to launch man-in-the-middle attacks and monitor or tamper with sensitive data. In general, the following ciphers are considered weak:

  • So called "null" ciphers, because they do not encrypt data.
  • Export ciphers using secret key lengths restricted to 40 bits. This is usually indicated by the word EXP/EXPORT in the name of the cipher suite.
  • Obsolete encryption algorithms with secret key lengths considered short by today's standards, eg. DES or RC4 with 56-bit keys.

Free Nexpose Download

Discover, prioritize, and remediate security risks today!

 Download now

Solution

Disable SSL support for weak ciphers

Configure the server to disable support for weak ciphers.

For Microsoft IIS web servers, see Microsoft Knowledgebase article 245030 for instructions on disabling weak ciphers.

For Apache web servers with mod_ssl, edit the Apache configuration file and change the SSLCipherSuite line to read:

SSLCipherSuite ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

For other servers, refer to the respective vendor documentation to disable the weak ciphers