- SSL Medium Strength Cipher Suites Supported (SWEET32) [TOMCAT server]
- The remote host uses weak cipher encryption for communication.
- Where SWEET32 is also called 3DES / Birthday attack.
To verify use below OpenSSL command:
If the OpenSSL is connected to the host at SSL port & we received the response with the certificate then it's having weak cipher suites.
- openssl s_client -connect Hostname:443 -cipher ""DES:3DES"" -tls1_2
- openssl s_client -connect Hostname:443 -cipher ""DES:3DES"" -tls1_1
- openssl s_client -connect Hostname:443 -cipher ""DES:3DES"" -tls1
SSLCipherSuite having strong cipher enabled, and to disable/restrict weak cipher using !DES:!RC4:!3DES:!MD5:!PSK
File Name: ssl.conf / httpd-ssl.conf
**************************************************
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
**************************************************
Thanks 😊
No comments:
Post a Comment