Forum Discussion
wazir
Altostratus
AltostratusSSL Anonymous Cipher Suites Supported
The remote host supports the use of SSL/TLS ciphers that offer no authentication at all.
Solution:
Reconfigure the affected application, if possible to avoid the use of anonymous ciphers.
openssl ciphers -v
ssl-disable-anon-ciphers
What is the proper solution for the affected load balancer Haproxy linux server ?
Andrew-F5Employee
Your configuration might be dependent on your current client/server cipher configuration and software version so I'll speak more in general about the changes that need to be made, see the linked articles for more specific details. It's worth noting that none of our 'DEFAULT' cipher strings on v11.x - v14.x allow ADH. Also, if you are not terminating SSL at the F5 then this would not be an issue at your F5.
See the openssl link below and search for 'Anonymous' to see what ciphers allow anonymous.
I would recommend first navigating to your SSL profile applied to your virtual server then grab the cipher string listed then connect to your F5 via SSH and use the cipher test command below to see what your current ciphers are.
Does your report list specific ciphers it found?
ADH is a common one and can be removed by appending ':!ADH' to your current cipher string.
== Test Ciphers ==
# tmm --clientciphers 'DEFAULT:!ADH'
K13171: Configuring the cipher strength for SSL profiles (11.x)
K17370: Configuring the cipher strength for SSL profiles (12.x - 13.x)
K01770517: Configuring the cipher strength for SSL profiles (14.x)
https://www.openssl.org/docs/manmaster/man1/ciphers.html
K13156: SSL ciphers used in the default SSL profiles (11.x - 13.x)
K54125331: SSL ciphers used in the default SSL profiles (14.x)
wazirOutput of the command : openssl ciphers -v 'ADH:@STRENGTH'
DH-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=None Enc=AESGCM(256) Mac=AEAD
ADH-AES256-SHA256 TLSv1.2 Kx=DH Au=None Enc=AES(256) Mac=SHA256
ADH-AES256-SHA SSLv3 Kx=DH Au=None Enc=AES(256) Mac=SHA1
ADH-CAMELLIA256-SHA SSLv3 Kx=DH Au=None Enc=Camellia(256) Mac=SHA1
ADH-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=None Enc=AESGCM(128) Mac=AEAD
ADH-AES128-SHA256 TLSv1.2 Kx=DH Au=None Enc=AES(128) Mac=SHA256
ADH-AES128-SHA SSLv3 Kx=DH Au=None Enc=AES(128) Mac=SHA1
ADH-SEED-SHA SSLv3 Kx=DH Au=None Enc=SEED(128) Mac=SHA1
ADH-CAMELLIA128-SHA SSLv3 Kx=DH Au=None Enc=Camellia(128) Mac=SHA1
ADH-DES-CBC3-SHA SSLv3 Kx=DH Au=None Enc=3DES(168) Mac=SHA1
ADH-RC4-MD5 SSLv3 Kx=DH Au=None Enc=RC4(128) Mac=MD5
ssl-default-bind-ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:AES 256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA
its load balancer and not any backend servers , its a test LB so its not used for anything except testing configs
1 .) Do i need to add anonymous cypher disable code on the above line Haproxy server on the path:/etc/haproxy/haproxy.cfg ?
2 .) Do i need to add (DEFAULT:!ADH' ) on the above ssl-default-bind-ciphers ?
- Andrew-F5
I realized you noted HAproxy which is typically leveraged by NGINX but my entire reply above was in regards to the F5 LTM Client SSL profile.
Admittedly I'm not super familiar with HAproxy but I'll try to some research and circle back here some time.
I assume this is some pen testing tool giving you the result you noted? If so, does it specify what port/protocol/service it's connecting to?
Given the ssl-default-bind-ciphers I would be surprised if that were it as there does not appear to be an anonymous ciphers.