Disable Weak Ciphers in Web Service

All questions related to installations, configurations and maintenance of Advanced Host Monitor (including additional tools such as RMA for Windows, RMA Manager, Web Servie, RCC).
Post Reply
xcentric
Posts: 176
Joined: Sat Oct 23, 2010 4:30 pm

Disable Weak Ciphers in Web Service

Post by xcentric »

Alex,

A recent scan targeted at the web service revealed the following weak ciphers. Is there a way to disable these?

SSLv3
TLS_RSA_WITH_DES_CBC_SHA - weak
TLS_RSA_WITH_IDEA_CBC_SHA - weak

TLSv1
TLS_RSA_WITH_DES_CBC_SHA - weak
TLS_RSA_WITH_IDEA_CBC_SHA - weak

Regards
Top
KS-Soft
Posts: 13012
Joined: Wed Apr 03, 2002 6:00 pm
Location: USA
Contact:
Contact KS-Soft

Post by KS-Soft »

Probably we can add option... but is it necessary?
WebService does not provide full access to system anyway, it does not have access to test settings, passwords, etc, it just shows statistics.

Regards
Alex
Top
xcentric
Posts: 176
Joined: Sat Oct 23, 2010 4:30 pm

Post by xcentric »

We are dealing with more respectable high profile clients and do not want to give them any room to question our security practices or conduct surprize audits on our services.

Aside from weak ciphers the web service reports other vulnerabilities we would like to see addressed.

https://www.ssllabs.com/ssltest/analyze ... Results=on

Regards
Top
KS-Soft
Posts: 13012
Joined: Wed Apr 03, 2002 6:00 pm
Location: USA
Contact:
Contact KS-Soft

Post by KS-Soft »

Ok, we will add couple more options.
Aside from weak ciphers the web service reports other vulnerabilities we would like to see addressed.
https://www.ssllabs.com/ssltest/analyze ... Results=on
"see addressed"? Like option to disble SSL v2.0 and renegotiation?

Regards
Alex
Top
xcentric
Posts: 176
Joined: Sat Oct 23, 2010 4:30 pm

Post by xcentric »

Correct.

1. Disable SSL v2.
2. Disable client initiated renegotiation.
3. Disable insecure renegotiation.
4. Prioritize RC4 to mitigate the BEAST attack. Practical mitigation requires that servers speak only RC4 when using TLS v1.0 or SSL v3.

With these options added any type of audit should pass.

Regards
Top
xcentric
Posts: 176
Joined: Sat Oct 23, 2010 4:30 pm

Post by xcentric »

Hi Alex,

I appreciate you including this request within the 9.38 update.
However, I am unable to get it working.

1. I ugraded the installation using the installer.
2. Aded the changes to the misc secion of the webservice.ini
3. Restarted webservice.
4. Audi results in no changes made.

Please advise.

[Misc]
DisableDES=1
Disable3DES=1
DisableIDEA=1
DisableMD5=1
DisableSSLv2=1
DisableExport40=1
Top
KS-Soft
Posts: 13012
Joined: Wed Apr 03, 2002 6:00 pm
Location: USA
Contact:
Contact KS-Soft

Post by KS-Soft »

Could you check version of Web Service or file size?

Regards
Alex
Top
KS-Soft Europe
Posts: 2832
Joined: Tue May 16, 2006 4:41 am
Contact:
Contact KS-Soft Europe

Post by KS-Soft Europe »

Please, use [SSL] section of webservice.ini instead of [Misc].
Do not forget to restert Web Service after making changes.
Top
xcentric
Posts: 176
Joined: Sat Oct 23, 2010 4:30 pm

Post by xcentric »

Using the ssl section was the answer.
The release notes read to use the misc section instead.

Some observations.
1. While there are no ciphers enabled for sslv2, it is still enabled.
2. Disabling ciphers and prioritizing rc4 on top is a start however the other vulnerabilities still exist such as non secure and client initiated renegotiation.
3. Even though rc4 sha is on top, the beast vulnerability still exists.

Regards
Top
Post Reply

Return to “Configuration, Maintenance, Troubleshooting”