Forum Discussion

GeoffSweet_3221's avatar
GeoffSweet_3221
Icon for Nimbostratus rankNimbostratus
Jan 16, 2009

Disable Anonymous Authentication for SSL

I have followed a couple of posts around trying to figure out how to make this change but so far without any luck. I have a medium priority call in with F5, but I figured while I am waiting for my ca...
config
design
Muhammad_64435's avatar
Muhammad_64435
Icon for Nimbostratus rankNimbostratus
Sep 25, 2017

My PCI scan also caught this Vulnerability

 

SSL Server Allows Anonymous Authentication Vulnerability

 

The Secure Socket Layer (SSL) protocol allows for secure communication between a client and a server. The client usually authenticates the server using an algorithm like RSA or DSS. Some SSL ciphers allow SSL communication without authentication. Most common Web browsers like Microsoft Internet Explorer, Netscape and Mozilla do not use anonymous authentication ciphers by default. A vulnerability exists in SSL communications when clients are allowed to connect using no authentication algorithm. SSL client-server communication may use several different types of authentication: RSA, Diffie-Hellman, DSS or none. When 'none' is used, the communications are vulnerable to a man-in-the-middle attack.

 

I have changed the ciphers as follows ... solved the problem ...

 

OLD cipher : NATIVE:!SSLv3:!MD5:!EXPORT:!DES:!DHE:!EDH:!RC4:@SPEED

 

NEW cipher : NATIVE:!SSLv3:!MD5:!EXPORT:!DES:!DHE:!EDH:!RC4:!AES-GCM:@SPEED

 

Following website also let you know if its been disabled or not :

 

https://dev.ssllabs.com/ssltest/

 

More reading : https://security.stackexchange.com/questions/113535/what-are-the-use-cases-for-anonymous-ssl-cipher-suites

 

Thanks, mS