Forum Discussion
RayThomsen_7557
Nimbostratus
NimbostratusSSL Profile cipher elimination
A customer reported having used a Nessus scan to detect "vulnerable" ciphers being allowed on their virtual. They requested I restrict these ciphers:
EXP-DES-CBC-SHA; EXP-RC2-CBC-MD5; EXP-RC4-M...
RayThomsen_7557Nimbostratus
NimbostratusIt looks like I can get DES-CBC-SHA and EXP-DES-CBC-SHA by excluding the DES group:
tmm --clientciphers DES
ID SUITE BITS PROT METHOD CIPHER MAC KEYX
0: 9 DES-CBC-SHA 64 SSL3 Native DES SHA RSA
1: 9 DES-CBC-SHA 64 TLS1 Native DES SHA RSA
2: 9 DES-CBC-SHA 64 TLS1.1 Native DES SHA RSA
3: 9 DES-CBC-SHA 64 DTLS1 Native DES SHA RSA
4: 98 EXP1024-DES-CBC-SHA 56 SSL3 Native DES SHA RSA
5: 98 EXP1024-DES-CBC-SHA 56 TLS1 Native DES SHA RSA
6: 98 EXP1024-DES-CBC-SHA 56 DTLS1 Native DES SHA RSA
7: 8 EXP-DES-CBC-SHA 40 SSL3 Native DES SHA RSA
8: 8 EXP-DES-CBC-SHA 40 TLS1 Native DES SHA RSA
9: 8 EXP-DES-CBC-SHA 40 DTLS1 Native DES SHA RSA
10: 21 DHE-RSA-DES-CBC-SHA 64 SSL3 Native DES SHA EDH/RSA
11: 21 DHE-RSA-DES-CBC-SHA 64 TLS1 Native DES SHA EDH/RSA
12: 21 DHE-RSA-DES-CBC-SHA 64 TLS1.1 Native DES SHA EDH/RSA
13: 21 DHE-RSA-DES-CBC-SHA 64 TLS1.2 Native DES SHA EDH/RSA
And the RC4-MD5 and EXP-RC4-MD5 by excluding the MD5 group:
tmm --clientciphers MD5
ID SUITE BITS PROT METHOD CIPHER MAC KEYX
0: 4 RC4-MD5 128 SSL3 Native RC4 MD5 RSA
1: 4 RC4-MD5 128 TLS1 Native RC4 MD5 RSA
2: 4 RC4-MD5 128 TLS1.1 Native RC4 MD5 RSA
3: 4 RC4-MD5 128 TLS1.2 Native RC4 MD5 RSA
4: 3 EXP-RC4-MD5 40 SSL3 Native RC4 MD5 RSA
5: 3 EXP-RC4-MD5 40 TLS1 Native RC4 MD5 RSA
And the cipher field took the exclusion of RC4-SHA, so all that's left is to figure out how to exclude EXP-RC2-CBC-MD5.
