GeoffSweet_3221
Jan 16, 2009Nimbostratus
Disable Anonymous Authentication for SSL
I have followed a couple of posts around trying to figure out how to make this change but so far without any luck. I have a medium priority call in with F5, but I figured while I am waiting for my call back "within 8 hours" I might post this question here.
Recently we have been undergoing PCI Compliancy scans. One of the recurring issues that we have is:
------
SSL Server Allows Anonymous Authentication Vulnerability
The Secure Socket Layer (SSL) protocol allows for secure communication between a client and a server. The client usually authenticates the server using an
algorithm like RSA or DSS. Some SSL ciphers allow SSL communication without authentication. Most common Web browsers like Microsoft Internet Explorer,
Netscape and Mozilla do not use anonymous authentication ciphers by default.
A vulnerability exists in SSL communcations when clients are allowed to connect
using no authentication algorithm. SSL client-server communication may use several different types of
authentication: RSA, Diffie-Hellman, DSS or none. When 'none' is used, the
communications are vulnerable to a man-in-the-middle attack."
------
Our BigIP device hosts our SSL certificates for the load balanced sites behind it. If the certificates were directly on our Apache servers, then turning off the anonymous authentication would be trivial. However I have yet to find a solution with the BigIP. A setting? An iRule? Any help or advice would be greatly appreciated!