SSL Allows the use of Weak Ciphers. (2024)

Table of Contents
Environment Situation Resolution Additional Information

Environment

Novell Open Enterprise Server (OES)
Novell NetWare 6.5

Situation

SSL Allows the use of Weak Ciphers.
SSL Server Allows Cleartext Communication Vulnerability port 443/tcp over SSL
SSL Server Supports Weak Encryption Vulnerability port 443/tcp over SSL
SSL Server May Be Forced to Use Weak Encryption Vulnerability port 443/tcp over SSL
The Secure Sockets Layer (SSL) protocol allows for secure communication between a client and a server.

The client-server communication is generally encrypted using a symmetric cipher such asRC2, RC4, DES or 3DES.

Some implementations of SSL allow for weak cipher communication.

Technically it is encryption but with a NULL key, so the various checks go through the exact same code path as the standard higher encryption ciphers.
When the SSL session starts, the client (in most cases, a browser) sends the list of ciphers and compression algorithms.
This list, by default, does not send any NULL encryption ciphers.
However some browsers will allow you toconfigure it to send NULL encryption ciphers by default.

See Also
Encryption Protocols and Ciphers - Pleasant Solutions

NOTE:

Some ways to verify if a port is allowing weak ciphers. This is useful if detection software shows a fault positive.

openssl s_client -connect <ipaddress:port> -ssl2 -state
EX: openssl s_client -connect 192.168.1.100:443 -ssl2 -state

openssl s_client -connect <ipaddress:port> -cipher LOW -state
EX: openssl s_client -connect 192.168.1.100:443 -cipher LOW -state

Resolution

NILE.NLM has been modified so that strong ciphers are preferred over weak ciphers by default during SSL handshakes.


The updated version of NILE.NLM is available for download in NILE65SP5A.EXE.

Additional Information

Each of the vulnerabilities and their associated CVE numbers are listed below:


CVE- 2006- 0997 - SSL Server Allows Cleartext Communication Vulnerability port 443/tcp over SSL
CVE- 2006- 0998 - SSL Server Supports Weak Encryption Vulnerability port 443/tcp over SSL
CVE- 2006- 0999 - SSL Server May Be Forced to Use Weak Encryption Vulnerability port 443/tcp over SSL
In order to revert back to allowing weak ciphersit is necessary to modify the SYS:\ETC\NILE.CFG and enter the following:
[WeakCrypto]
Enabled=Y|N

NOTE: After modifying the settings in the SYS:\ETC\NILE.CFG file it is necessary to restart the server to have the changes take effect.
SSL Digger by Foundstone was used to test this vulnerability.
For more information go to www.foundstone.com
Formerly known as TID# 10100633
© Micro Focus.Please see Terms of Use applicable to this content.
SSL Allows the use of Weak Ciphers. (2024)
Top Articles
Minimalism Is Just Another Boring Product Wealthy People Can Buy
You've Got Income Forever With These Recession-Proof 6.5% Dividends
Jose Molina email address & phone number | Continental Product Owner - Team Coach Advanced Driver Assistance Systems contact information - RocketReach
3 Best Clash of Clans Armies for every TH 2024
Latest Posts
Solana And Ethereum Suffer Weekend Disruptions Thanks To NFT Mints
Six money milestones to hit while you’re in your 30s
Article information

Author: Msgr. Refugio Daniel

Last Updated:

Views: 6241

Rating: 4.3 / 5 (54 voted)

Reviews: 85% of readers found this page helpful

Author information

Name: Msgr. Refugio Daniel

Birthday: 1999-09-15

Address: 8416 Beatty Center, Derekfort, VA 72092-0500

Phone: +6838967160603

Job: Mining Executive

Hobby: Woodworking, Knitting, Fishing, Coffee roasting, Kayaking, Horseback riding, Kite flying

Introduction: My name is Msgr. Refugio Daniel, I am a fine, precious, encouraging, calm, glamorous, vivacious, friendly person who loves writing and wants to share my knowledge and understanding with you.