SSL Server Allows Anonymous Authentication Vulnerability

Question

Good morning,&nbsp;
Kindly note security scan from Qualys returned the following vulnarability "SSL Server Allows Anonymous Authentication Vulnerability" while I'm using an SSL client profile with non default cipher  only "TLSv1_2" is enabled.
Can somebody provide solution to close this vulnarability and disable null cipher.&nbsp;
Thanks in advance.&nbsp;
Best Regards,
Ralph El Habr&nbsp;

ashwin_venkat · Answer

That result from Qualys is pointing to the fact that you have anonymous cipher suites enabled, and with cipher string you're using, that is due to ADH being enabled.

You can disable it by appending ':!ADH' to your existing cipher string and I'd go one step further to also disable other weaker ones like RC4, DE &amp; 3DES.  Therefore, the following cipher string disables all those weaker ones:
  TLSv1_2:!ADH:!DES:!3DES:!RC4

Please let me know if you have any questions.

Forum Discussion

SSL Server Allows Anonymous Authentication Vulnerability

Recent Discussions

Default retry time inband monitor

how to monitor the axfr master response

Http / https health monitor issue

I used the wrong email account when take Application Delivery Exam (101)

F5 looses the token for the first call

Related Content

Anonymous DDOS Tools 2016

Dealing with DDoS threats by KillNet, Anonymous Sudan and REvil

Mitigating Apache Camel Vulnerability CVE-2025–27636 with F5 Products

F5 BIG-IP Access Policy Manager (APM) - Google Authenticator and Microsoft Authenticator

Phishing, Malware and Spyware Campaign, BRUTED Tool & CISA’s List Of Exploited Vulnerabilities

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS